got some weird program that won't go away

Snake_2990 · 02-22-2006, 07:26 AM

i've had this problem with other viruses so many times before and i got another one. ive used ad-aware and spybot and each time i log on norton says that there is bla bla bla hack.tool located in c:/windows/system32/directx.sys (might not be exact address) and it says that it has taken no action to get rid of it or anything. i went and looked for it and couldn't find it so that i could delete it manually but i cannot find it anywhere. and i have the hide system files and the show hidden files thingy all done so i should be able to see it if it were there. and now im using hijackthis as a last resort to get rid of this thing. it has a pretty high threat and i can't find it. please check this log for me.

thank you.

Logfile of HijackThis v1.99.1
Scan saved at 4:25:04 PM, on 2/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe
C:\WINDOWS\system32\l074.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe
C:\Program Files\Philips\Philips Lime Service\bin\Lime.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\pre-install\My Documents\Jeff's Stuff\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PRE-IN~1\MYDOCU~1\JEFF'S~1\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [strtas] l074.exe
O4 - HKLM\..\RunServices: [strtas] l074.exe
O4 - HKCU\..\Run: [strtas] l074.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

bry623 · 02-22-2006, 01:06 PM

There seems to be some info missing from your HIjackThis log. Could you please repost?

Snake_2990 · 02-22-2006, 03:18 PM

ya there was missing info. i had a previous log and put the stuff that i already had someone check out onto the ignore list
heres the full log:

Logfile of HijackThis v1.99.1
Scan saved at 3:17:19 PM, on 2/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe
C:\WINDOWS\system32\l074.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe
C:\Program Files\Philips\Philips Lime Service\bin\Lime.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\pre-install\My Documents\Jeff's Stuff\hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PRE-IN~1\MYDOCU~1\JEFF'S~1\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB003" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PhilipsDM] "C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe"
O4 - HKLM\..\Run: [strtas] l074.exe
O4 - HKLM\..\RunServices: [strtas] l074.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PhilipsLime] "C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe"
O4 - HKCU\..\Run: [strtas] l074.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Snake_2990 · 02-22-2006, 03:21 PM

o ya and the virus is hacktool.rootkit and norton cant do anything to it.

sUBs · 02-22-2006, 03:23 PM

Download and run Blacklight

After you start the program and accept the license, you should see the first step (Figure 1), which lets you scan for hidden items. Note that you must have local administrative privileges to run the program.

Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this

When it finishes, click Next. You may get a screen similar to the picture below. Click on Close

BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log

Snake_2990 · 02-27-2006, 08:27 PM

02/27/06 20:19:19 [Info]: BlackLight Engine 1.0.32 initialized
02/27/06 20:19:19 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/27/06 20:19:20 [Note]: 7019 4
02/27/06 20:19:20 [Note]: 7005 0
02/27/06 20:19:29 [Note]: 7006 0
02/27/06 20:19:29 [Note]: 7011 3480
02/27/06 20:19:30 [Note]: FSRAW library version 1.7.1015
02/27/06 20:20:51 [Note]: 7007 0

it couldn't find anything. and i don't understand why i couldn't see the file anyway when i run my computer with the hidden and the system files and extensions and all that good stuff showing. so if it was there as even a hidden file shouldn't i have seen it? and what does the hacktool.rootkit do exactly?

sUBs · 02-27-2006, 08:35 PM

Let's try another rootkit scanner

Download RootKitRevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file.
Please post the entire contents of the log file in your next reply.

Snake_2990 · 02-28-2006, 09:27 PM

hey downloaded it extracted it and now it wont run. it goes to run but doesn't go anywhere. there attacking the computer now. ive gotten a bunch of new stuff adpopper stuff and just a bunch of crap. things are getting installed. i need to get these off and fast. i've seen what this stuff can do. im running spybot and adaware to keep most of the stuff down. ill post another hijack log after.

sUBs · 03-01-2006, 11:49 AM

Quote:

hey downloaded it extracted it and now it wont run. it goes to run but doesn't go anywhere.

I assume that you're refering to RootKit Revealer. When it's running, it will unload/dump the Registry's hives. That would cause your computer to appear as if it's not responding. Give it some time .. 2-3 minutes. You should be using the computer for anything else during this time.

Quote:

ive gotten a bunch of new stuff adpopper stuff and just a bunch of crap. things are getting installed. i need to get these off and fast. i've seen what this stuff can do. im running spybot and adaware to keep most of the stuff down. ill post another hijack log after.

There's no need to do the ad-aware/spybot stuff. Just post your HijackThis log & I'll tell you what to do.

Snake_2990 · 03-01-2006, 08:23 PM

i started it and it crashed and this what i had

HKLM\SOFTWARE\Classes\CLSID\{BA576CDE-9949-4473-A8F7-6C17C2A7E600} 3/1/2006 7:06 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Classes\Fseytdc.Ariaqudok 3/1/2006 3:43 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Classes\Fseytdc.Ariaqudok.1 3/1/2006 3:43 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\text/html 3/1/2006 7:06 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 3/1/2006 7:06 PM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3660E8E641746494D8A2709E19831AA1\Usage\ImageZoneExpress 3/1/2006 7:06 PM 4 bytes Data mismatch between Windows API and raw hive data.

ran it again and got this

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 3/1/2006 7:15 PM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3660E8E641746494D8A2709E19831AA1\Usage\ImageZoneExpress 3/1/2006 7:15 PM 4 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\pre-install\Application Data\Sskuknwrd.dll 3/1/2006 7:19 PM 42 bytes Hidden from Windows API.
C:\Documents and Settings\pre-install\Cookies\pre-install@hotstarscoop[1].txt 3/1/2006 7:19 PM 83 bytes Hidden from Windows API.
C:\Documents and Settings\pre-install\Cookies\pre-install@mbop[1].txt 3/1/2006 7:35 PM 85 bytes Hidden from Windows API.
C:\Documents and Settings\pre-install\Cookies\pre-install@mbop[2].txt 3/1/2006 6:35 PM 84 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\016BODQJ\isearch[1].htm 3/1/2006 7:09 PM 372 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\016BODQJ\rmtag3[2].js 3/1/2006 7:19 PM 14.85 KB Hidden from Windows API.
C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\C5QRO5YR\o[1].css 3/1/2006 7:19 PM 4.76 KB Hidden from Windows API.
C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\C5QRO5YR\search[1].htm 3/1/2006 7:09 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\C5QRO5YR\search[2].htm 3/1/2006 7:09 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\isearch[1].htm 3/1/2006 7:18 PM 466 bytes Hidden from Windows API.
C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[1].htm 3/1/2006 7:19 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[2].htm 3/1/2006 7:19 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[3].htm 3/1/2006 7:19 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[4].htm 3/1/2006 7:19 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\WDYB85Q3\Ali_Landry[1].htm 3/1/2006 7:18 PM 11.08 KB Hidden from Windows API.
C:\WINDOWS\ms046733221292006.exe 3/1/2006 7:41 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\Prefetch\SS3DFO.SCR-373AD36C.pf 3/1/2006 7:32 PM 13.20 KB Hidden from Windows API.

Snake_2990 · 03-01-2006, 08:59 PM

hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 8:56:55 PM, on 3/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe
C:\WINDOWS\system32\l074.exe
C:\winsysban12.exe
C:\WINDOWS\system32\dgfgql.exe
C:\WINDOWS\SYSC00.exe
C:\windows\eee2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\klsx9e.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe
C:\Program Files\Philips\Philips Lime Service\bin\Lime.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\pre-install\My Documents\Jeff's Stuff\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Yvakt Class - {0DEADE31-9A37-48B2-921A-7825EA93D32A} - C:\WINDOWS\system32\wdc1n.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PRE-IN~1\MYDOCU~1\JEFF'S~1\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CE535C3C-C8A2-D205-F0F8-973B800074B2} - C:\WINDOWS\system32\eab.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB003" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PhilipsDM] "C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe"
O4 - HKLM\..\Run: [strtas] l074.exe
O4 - HKLM\..\Run: [winsysupd] C:\\winsysupd12.exe
O4 - HKLM\..\Run: [winsysban] C:\\winsysban12.exe
O4 - HKLM\..\Run: [NJv7jy] "C:\WINDOWS\system32\dgfgql.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [win3207322129673] C:\WINDOWS\win3207322129673.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [2<|9] C:\windows\eee2.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\system32\loadadv64
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames12.exe
O4 - HKLM\..\Run: [LWS*] C:\windows\eee2.exe
O4 - HKLM\..\RunServices: [strtas] l074.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PhilipsLime] "C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe"
O4 - HKCU\..\Run: [strtas] l074.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O18 - Filter: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - C:\WINDOWS\system32\wdc1n.dll
O20 - AppInit_DLLs: repairs303169536.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: MBNCTF - Sysinternals - www.sysinternals.com - C:\DOCUME~1\PRE-IN~1\LOCALS~1\Temp\MBNCTF.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

sUBs · 03-01-2006, 09:23 PM

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

* * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * *

Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs:

webHancer

Please note any other programs that you dont recognize in that list in your next response

* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *

Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Yvakt Class - {0DEADE31-9A37-48B2-921A-7825EA93D32A} - C:\WINDOWS\system32\wdc1n.dll
O2 - BHO: (no name) - {CE535C3C-C8A2-D205-F0F8-973B800074B2} - C:\WINDOWS\system32\eab.dll
O4 - HKLM\..\Run: [strtas] l074.exe
O4 - HKLM\..\Run: [winsysupd] C:\\winsysupd12.exe
O4 - HKLM\..\Run: [winsysban] C:\\winsysban12.exe
O4 - HKLM\..\Run: [NJv7jy] "C:\WINDOWS\system32\dgfgql.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [win3207322129673] C:\WINDOWS\win3207322129673.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [2<|9] C:\windows\eee2.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\system32\loadadv64
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames12.exe
O4 - HKLM\..\Run: [LWS*] C:\windows\eee2.exe
O4 - HKLM\..\RunServices: [strtas] l074.exe
O4 - HKCU\..\Run: [strtas] l074.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O18 - Filter: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - C:\WINDOWS\system32\wdc1n.dll
O20 - AppInit_DLLs: repairs303169536.dll

* * * * * *

Download & SAVE ON DESKTOP, the file attached - fix.zip

** It's important that the file must be saved to Desktop

From within it, double-click on fix.exe & allow it to run
It shall reboot your computer automatically & present you with a log which you should post back here. Also post a fresh HJT log

Snake_2990 · 03-02-2006, 05:30 PM

ok. i couldn't find webhancer on the list but i did find a surf sidekick and i tried to uninstall it and this popped up

so i hit cancel. i know i need to get rid of this one but id like you to tell me how u want me to get rid of it. and there is a program called Indeo® software. im not sure what it is it's probly nothing it doesn't raise any red flags to me and there is a program called ICC color profiles. both i think i might have already had those on their i just wanted to let u know in case it was anything i need to get rid of. im gonna go do the other things now in safe mode.

Snake_2990 · 03-02-2006, 06:02 PM

the fix.exe wont run it says script ended and that i should save the zipped/archive to my desktop press any key... and i already have its already on my desktop. well heres my hijack log anyway.

Logfile of HijackThis v1.99.1
Scan saved at 6:01:26 PM, on 3/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe
C:\mousepad.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Philips\Philips Lime Service\bin\Lime.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\pre-install\My Documents\Jeff's Stuff\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PRE-IN~1\MYDOCU~1\JEFF'S~1\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB003" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PhilipsDM] "C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe"
O4 - HKLM\..\Run: [keyboard] C:\\keyboard.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PhilipsLime] "C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O20 - AppInit_DLLs: repairs303169536.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: MBNCTF - Sysinternals - www.sysinternals.com - C:\DOCUME~1\PRE-IN~1\LOCALS~1\Temp\MBNCTF.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

not everything came off as you probly have already found out.

sUBs · 03-02-2006, 08:28 PM

As for SurfSideKick, type in the code as displayed by your screenshot. You need to do that to remove it.

Fix.zip must be located on your Desktop. It musn't be renamed nor should it be placed into another folder. Please try running it again.

Snake_2990 · 03-03-2006, 02:38 PM

i use firefox and it would download files to my downloads folder and when i moved it it wouldn't work so i used internet explorer and had it downloaded straight to the desktop and it worked perfectly fine. I don't know why it didn't work before. anyway here's the fix log

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mteccpni

*******************

Script file located at: \??\C:\Documents and Settings\fkpftwyy.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\l074.exe deleted successfully.
File C:\winsysban12.exe deleted successfully.
File C:\WINDOWS\system32\dgfgql.exe deleted successfully.
File C:\WINDOWS\SYSC00.exe deleted successfully.
File C:\windows\eee2.exe deleted successfully.
File C:\WINDOWS\system32\klsx9e.exe deleted successfully.
File C:\winsysupd12.exe deleted successfully.

File C:\WINDOWS\win3207322129673.exe not found!
Deletion of file C:\WINDOWS\win3207322129673.exe failed!

Could not process line:
C:\WINDOWS\win3207322129673.exe
Status: 0xc0000034

File C:\WINDOWS\system32\loadadv64 deleted successfully.
File C:\gimmygames12.exe deleted successfully.

File C:\WINDOWS\system32\wdc1n.dll not found!
Deletion of file C:\WINDOWS\system32\wdc1n.dll failed!

Could not process line:
C:\WINDOWS\system32\wdc1n.dll
Status: 0xc0000034

File C:\WINDOWS\system32\eab.dll not found!
Deletion of file C:\WINDOWS\system32\eab.dll failed!

Could not process line:
C:\WINDOWS\system32\eab.dll
Status: 0xc0000034

File C:\WINDOWS\system32\repairs303169536.dll not found!
Deletion of file C:\WINDOWS\system32\repairs303169536.dll failed!

Could not process line:
C:\WINDOWS\system32\repairs303169536.dll
Status: 0xc0000034

File C:\Documents and Settings\pre-install\Application Data\Sskuknwrd.dll not found!
Deletion of file C:\Documents and Settings\pre-install\Application Data\Sskuknwrd.dll failed!

Could not process line:
C:\Documents and Settings\pre-install\Application Data\Sskuknwrd.dll
Status: 0xc0000034

File C:\Documents and Settings\pre-install\Cookies\pre-install@hotstarscoop[1].txt deleted successfully.

Could not open file C:\Documents and Settings\pre-install\Cookies\pre-install@mbop[1].txt 3/1/2006 for deletion
Deletion of file C:\Documents and Settings\pre-install\Cookies\pre-install@mbop[1].txt 3/1/2006 failed!

Could not process line:
C:\Documents and Settings\pre-install\Cookies\pre-install@mbop[1].txt 3/1/2006
Status: 0xc0000033

Could not open file C:\Documents and Settings\pre-install\Cookies\pre-install@mbop[2].txt 3/1/2006 for deletion
Deletion of file C:\Documents and Settings\pre-install\Cookies\pre-install@mbop[2].txt 3/1/2006 failed!

Could not process line:
C:\Documents and Settings\pre-install\Cookies\pre-install@mbop[2].txt 3/1/2006
Status: 0xc0000033

File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\016BODQJ\isearch[1].htm not found!
Deletion of file C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\016BODQJ\isearch[1].htm failed!

Could not process line:
C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\016BODQJ\isearch[1].htm
Status: 0xc0000034

File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\016BODQJ\rmtag3[2].js deleted successfully.
File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\C5QRO5YR\o[1].css deleted successfully.

File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\C5QRO5YR\search[1].htm not found!
Deletion of file C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\C5QRO5YR\search[1].htm failed!

Could not process line:
C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\C5QRO5YR\search[1].htm
Status: 0xc0000034

File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\C5QRO5YR\search[2].htm not found!
Deletion of file C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\C5QRO5YR\search[2].htm failed!

Could not process line:
C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\C5QRO5YR\search[2].htm
Status: 0xc0000034

File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\isearch[1].htm deleted successfully.

File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[1].htm not found!
Deletion of file C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[1].htm failed!

Could not process line:
C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[1].htm
Status: 0xc0000034

File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[2].htm 3 not found!
Deletion of file C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[2].htm 3 failed!

Could not process line:
C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[2].htm 3
Status: 0xc0000034

File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[3].htm not found!
Deletion of file C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[3].htm failed!

Could not process line:
C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[3].htm
Status: 0xc0000034

File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[4].htm not found!
Deletion of file C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[4].htm failed!

Could not process line:
C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[4].htm
Status: 0xc0000034

File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\WDYB85Q3\Ali_Landry[1].htm deleted successfully.
File C:\WINDOWS\ms046733221292006.exe deleted successfully.

Folder C:\Program Files\webHancer not found!
Deletion of folder C:\Program Files\webHancer failed!

Could not process line:
C:\Program Files\webHancer
Status: 0xc0000034

Registry key HKLM\SOFTWARE\Classes\Fseytdc.Ariaqudok deleted successfully.
Registry key HKLM\SOFTWARE\Classes\Fseytdc.Ariaqudok.1 deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 2:37:05 PM, on 3/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe
C:\mousepad.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Philips\Philips Lime Service\bin\Lime.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\pre-install\My Documents\Jeff's Stuff\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PRE-IN~1\MYDOCU~1\JEFF'S~1\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB003" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PhilipsDM] "C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe"
O4 - HKLM\..\Run: [keyboard] C:\\keyboard.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad.exe
O4 - HKLM\..\Run: [strtas] l074.exe
O4 - HKLM\..\RunServices: [strtas] l074.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PhilipsLime] "C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [strtas] l074.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: MBNCTF - Unknown owner - C:\DOCUME~1\PRE-IN~1\LOCALS~1\Temp\MBNCTF.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

^certain things are coming back.

sUBs · 03-03-2006, 03:03 PM

Quote:

^certain things are coming back.

Somehow, I'm not really suprised that certain things are coming back. It took you 2 days to complete the last set of instructions.

If you were a virus, would you sit still for 2 days waiting to be exterminated?

Please download the following tools...

Download & install CleanUp.exe (not recommended for WinXP64)

Download and install Ewido Security Suite

When installing, under "Additional Options",
- uncheck - Install background guard
Have Ewido update itself & then exit the program.

If you are having problems with the updater, you can use this link to manually update Ewido

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

* * * * * * DISABLING SERVICES * * * * * * * * * * * * * * * * *

Click Start -> Run - type SERVICES.MSC & then click on the OK button

Locate the service - MBNCTF
Double-click on it to open the Properties dialog.
- Change the Startup type to Disabled & then click on the Apply button
- Stop the service by using the Stop button.
Then start HiJackThis & go to Config... -> Misc.Tools -> Delete an NT service
In the popup box that appears, copy/paste MBNCTF
Click on the OK button & answer No if prompted to reboot

* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *

Do a HijackThis scan & place a check next to these items and select "Fix checked":

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [keyboard] C:\\keyboard.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad.exe
O4 - HKLM\..\Run: [strtas] l074.exe
O4 - HKLM\..\RunServices: [strtas] l074.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [strtas] l074.exe

* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.

* * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * *

Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs:

SurfSideKick

Please note any other programs that you dont recognize in that list in your next response

* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

Tick - 'Show hidden files and folder'
Untick - 'Hide file extensions for known types'
Untick - 'Hide protected operating system files'
Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

C:\keyboard.exe
C:\mousepad.exe
C:\Program Files\SurfSideKick 3\

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache
Delete Newsgroup Subscriptions
Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!

* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
.Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *

In your next post, please include fresh logs from:

HiJackThis log

Online Scan

Ewido

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Snake_2990 · 03-04-2006, 12:45 AM

*notice im very tired as im writing this post so please bare with me if i sound a little weird or confusing.

Quote:

Somehow, I'm not really suprised that certain things are coming back. It took you 2 days to complete the last set of instructions. If you were a virus, would you sit still for 2 days waiting to be exterminated?

ya sorry about that. ive been busy lately and haven't gotten around to doing everything.

alright so i did all that stuff now. i couldn't find surfsidekick anywhere. but i think i already uninstalled it after you said i had to put in the code in order to coninue with the uninstallation. and when i was deleting keyboard.exe and mousepad.exe i also found ZICORN001.exe, aebcq9z5w.exe, and NNSCAA638.EXE. i just wasn't sure whether these were factory set programs or if they do pose a threat and didn't delete them. also i found gimmysmileys.exe and i knew that that was bad so i already deleted it.

before i went into safemode i forgot to update the ewido program so it possibly didn't catch everything it could have. also the log might look weird because i accidentally hit no on C:\WINDOWS\68x=.exe/eee2.exe -> Adware.MediaMotor : Error during cleaning when it asked are you sure you want to delete this bla bla it is embeded in bla bla (something like that i don't really remember at all) so i located the file right clicked it and scaned with ewido and successfully deleted it. so its gone even though it doesn't look like i got rid of it.

as for the computer. norton hasn't picked up the hacktool.rootkit. i havn't had those popups coming from the viruses. the computer is running a little slow doing certain things(but i think thats from the temp files being deleted) other than that everything looks great. i just hope nothing is still wrong and that ive gotton rid of the hacktool.rootkit.

here finally are the logs

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 12:31:30 AM, on 3/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Philips\Philips Lime Service\bin\Lime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\pre-install\My Documents\Jeff's Stuff\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PRE-IN~1\MYDOCU~1\JEFF'S~1\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB003" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PhilipsDM] "C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PhilipsLime] "C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

ewido:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:01:19 PM, 3/3/2006
+ Report-Checksum: 1C259C69

+ Scan result:

HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-3958095517-48506347-572454927-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-3958095517-48506347-572454927-1004\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-3958095517-48506347-572454927-1004\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
C:\avenger\backup.zip/avenger/eee2.exe -> Adware.MediaMotor : Cleaned with backup
C:\avenger\backup.zip/avenger/SYSC00.exe -> Trojan.VB.tg : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\whInstall -> Adware.Webhancer : Cleaned with backup
C:\real.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\68x=.exe/eee2.exe -> Adware.MediaMotor : Error during cleaning
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\surv3.exe -> Downloader.VB.vv : Cleaned with backup
C:\WINDOWS\system32\EGDHTML_1030.dll -> Dialer.InstantAccess : Cleaned with backup
C:\WINDOWS\system32\P2ECOM.dll -> Trojan.P2E.r : Cleaned with backup
C:\WINDOWS\system32\pre2.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\webhdll.dll_tobedeleted -> Adware.WebHancer : Cleaned with backup
C:\WINDOWS\whCC-GIANT.exe/WhAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\xz.bat -> Trojan.KillProc.a : Cleaned with backup
C:\ZICORN001.exe -> Adware.ZenoSearch : Cleaned with backup

::Report End

and Kaspersky: <---which took over 2 and a 1/2 hours

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, March 04, 2006 00:03:54
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 4/03/2006
Kaspersky Anti-Virus database records: 180029
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 161767
Number of viruses found: 50
Number of infected objects: 212
Number of suspicious objects: 0
Duration of the scan process: 9529 sec

Infected Object Name - Virus Name
C:\aebcq9z5w.exe Infected: Trojan-Downloader.Win32.Agent.afi
C:\Documents and Settings\Michelle\drsmartload348a.exe Infected: Trojan-Downloader.Win32.Adload.w
C:\Documents and Settings\Michelle\Local Settings\Application Data\Identities\{657D89B1-1885-427D-ABAC-4B79F5B36C1D}\Microsoft\Outlook Express\found.dbx/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 11:04:15 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Identities\{657D89B1-1885-427D-ABAC-4B79F5B36C1D}\Microsoft\Outlook Express\found.dbx/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 18:41:51 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Identities\{657D89B1-1885-427D-ABAC-4B79F5B36C1D}\Microsoft\Outlook Express\found.dbx/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 18:41:51 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Identities\{657D89B1-1885-427D-ABAC-4B79F5B36C1D}\Microsoft\Outlook Express\found.dbx/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 16:36:36 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Identities\{657D89B1-1885-427D-ABAC-4B79F5B36C1D}\Microsoft\Outlook Express\found.dbx/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 16:36:36 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Identities\{657D89B1-1885-427D-ABAC-4B79F5B36C1D}\Microsoft\Outlook Express\found.dbx/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 08:20:53 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Identities\{657D89B1-1885-427D-ABAC-4B79F5B36C1D}\Microsoft\Outlook Express\found.dbx/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 08:20:53 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Identities\{657D89B1-1885-427D-ABAC-4B79F5B36C1D}\Microsoft\Outlook Express\found.dbx Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.11.eml/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 08:20:53 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.11.eml Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.11d.eml/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 11:04:15 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.11d.eml Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.11f.eml/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 18:41:51 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.11f.eml Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.120.eml/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 16:36:36 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.120.eml Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.121.eml/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 08:20:53 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.121.eml Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.128.eml/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 08:20:53 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.128.eml Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.129.eml/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 11:04:15 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.129.eml Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.12b.eml/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 18:41:51 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.12b.eml Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.12c.eml/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 16:36:36 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.12c.eml Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.15.eml/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 11:04:15 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.15.eml Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.16.eml/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 16:36:36 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.16.eml Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.17.eml/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 18:41:51 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.17.eml Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\pre-install\drsmartload348a.exe Infected: Trojan-Downloader.Win32.Adload.w
C:\Documents and Settings\pre-install\My Documents\Jeff's Stuff\hijackthis\backups\backup-20060302-174941-187.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak
C:\Documents and Settings\pre-install\My Documents\Jeff's Stuff\hijackthis\backups\backup-20060302-174941-966.dll Infected: not-a-virus:AdWare.Win32.Suggestor.o
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x300012b.000/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 11:04:15 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x300012b.000 Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x300012e.000/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 18:41:51 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x300012e.000 Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x300012f.000/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 16:36:36 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x300012f.000 Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x3000130.000/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 08:20:53 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x3000130.000 Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x30005b4.000/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 08:20:53 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x30005b4.000 Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x30005b8.000/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 11:04:15 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x30005b8.000 Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x30005ba.000/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 16:36:36 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x30005ba.000 Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x30005be.000/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 18:41:51 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x30005be.000 Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.11/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 08:20:53 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.11 Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.11d/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 11:04:15 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.11d Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.11f/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 18:41:51 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.11f Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.120/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 16:36:36 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.120 Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.121/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 08:20:53 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.121 Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.15/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 11:04:15 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.15 Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.16/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 16:36:36 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.16 Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.17/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 18:41:51 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.17 Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Program Files\Common Files\Yazzle1119OinAdmin.exe Infected: Trojan.Win32.Scapur.k
C:\Program Files\doco\subw.exe Infected: Trojan-Downloader.Win32.PurityScan.br
C:\Program Files\Norton AntiVirus\Quarantine\011A5EDB.class Infected: Trojan.Java.ClassLoader.h
C:\Program Files\Norton AntiVirus\Quarantine\021659F9.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Program Files\Norton AntiVirus\Quarantine\0C0C69ED.class Infected: Trojan.Java.ClassLoader.d
C:\Program Files\Norton AntiVirus\Quarantine\104E1E85.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Program Files\Norton AntiVirus\Quarantine\11D43F40.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Program Files\Norton AntiVirus\Quarantine\133A1A69.class Infected: Trojan.Java.ClassLoader.d
C:\Program Files\Norton AntiVirus\Quarantine\1C354F2B.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\1DC92B99.dll_ Infected: Trojan-Clicker.Win32.Small.jf
C:\Program Files\Norton AntiVirus\Quarantine\1E171B43.exe Infected: Trojan-Clicker.Win32.VB.ij
C:\Program Files\Norton AntiVirus\Quarantine\32B17A97.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Program Files\Norton AntiVirus\Quarantine\3840134C.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Program Files\Norton AntiVirus\Quarantine\39E160AD Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Program Files\Norton AntiVirus\Quarantine\39E40AA9 Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Program Files\Norton AntiVirus\Quarantine\3A57482C/data0002 Infected: Trojan-Clicker.Win32.Small.jf
C:\Program Files\Norton AntiVirus\Quarantine\3A57482C Infected: Trojan-Clicker.Win32.Small.jf
C:\Program Files\Norton AntiVirus\Quarantine\42BF5CEB/data0002 Infected: Trojan-Clicker.Win32.Small.jf
C:\Program Files\Norton AntiVirus\Quarantine\42BF5CEB Infected: Trojan-Clicker.Win32.Small.jf
C:\Program Files\Norton AntiVirus\Quarantine\432C5429.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Program Files\Norton AntiVirus\Quarantine\44110C9E.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Program Files\Norton AntiVirus\Quarantine\44E277B3.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\44E277B3.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\44E277B3.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\44E277B3.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\495A0F45.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Program Files\Norton AntiVirus\Quarantine\495A0F45.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c
C:\Program Files\Norton AntiVirus\Quarantine\495A0F45.zip/Counter.class Infected: Trojan.Java.ClassLoader.h
C:\Program Files\Norton AntiVirus\Quarantine\495A0F45.zip/Parser.class Infected: Trojan.Java.ClassLoader.d
C:\Program Files\Norton AntiVirus\Quarantine\495A0F45.zip Infected: Trojan.Java.ClassLoader.d
C:\Program Files\Norton AntiVirus\Quarantine\49982D01.exe Infected: Email-Worm.Win32.VB.an
C:\Program Files\Norton AntiVirus\Quarantine\4DA27A12.class Infected: Trojan.Java.ClassLoader.h
C:\Program Files\Norton AntiVirus\Quarantine\5050000A.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Program Files\Norton AntiVirus\Quarantine\552A09D7.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Program Files\Norton AntiVirus\Quarantine\58074194.exe Infected: Trojan-Downloader.Win32.VB.nw
C:\Program Files\Norton AntiVirus\Quarantine\58EF4BEF.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Program Files\Norton AntiVirus\Quarantine\5DC64D47.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Program Files\Norton AntiVirus\Quarantine\627C7227.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Program Files\Norton AntiVirus\Quarantine\66D303C3.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Program Files\Norton AntiVirus\Quarantine\67DD3D1E.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Program Files\Norton AntiVirus\Quarantine\69C00238.exe Infected: Email-Worm.Win32.VB.an
C:\Program Files\Norton AntiVirus\Quarantine\6B7B4386.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Program Files\Norton AntiVirus\Quarantine\6D282C84.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Program Files\Norton AntiVirus\Quarantine\7EA83771 Infected: Trojan-Downloader.Java.OpenStream.w
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP713\A0069605.bat Infected: Trojan.BAT.KillProc.a
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP714\A0069630.bat Infected: Trojan.BAT.KillProc.a
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP717\A0069700.bat Infected: Trojan.BAT.KillProc.a
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP719\A0070703.bat Infected: Trojan.BAT.KillProc.a
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0070921.bat Infected: Trojan.BAT.KillProc.a
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0070931.exe Infected: Trojan-Downloader.Win32.Adload.u
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0071916.exe Infected: Trojan-Downloader.Win32.VB.tw
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0071918.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0071919.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0071920.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0071921.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0071923.dll Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0071928.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0071930.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0071932.bat Infected: Trojan.BAT.KillProc.a
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0071978.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0071979.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0071980.ocx Infected: Trojan-Downloader.Win32.VB.ov
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0071982.exe Infected: Trojan-Downloader.Win32.VB.uc
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0071984.exe Infected: not-a-virus:Monitor.Win32.NetMon.a
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0071986.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0071987.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0071988.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0071989.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0071993.exe Infected: Trojan-Downloader.Win32.Adload.u
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0071994.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0072002.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0072004.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0072006.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0072006.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0072006.exe/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0072006.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0072006.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0072006.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0072006.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0072007.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.m
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0072019.bat Infected: Trojan.BAT.KillProc.a
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0073017.bat Infected: Trojan.BAT.KillProc.a
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0073034.exe Infected: Trojan-Downloader.Win32.Adload.t
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0073048.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0073048.exe Infected: Trojan-Clicker.Win32.Small.jf
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0073049.exe Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0073050.exe Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0073051.exe Infected: Trojan-Dropper.Win32.Agent.aie
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0073070.bat Infected: Trojan.BAT.KillProc.a
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0073090.exe Infected: Trojan-Downloader.Win32.Adload.u
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0073095.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0073096.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0073121.exe Infected: Trojan-Downloader.Win32.VB.tw
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0073126.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.i
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0073132.bat Infected: Trojan.BAT.KillProc.a
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0073155.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0073155.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP720\A0073155.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0073236.bat Infected: Trojan.BAT.KillProc.a
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0073253.dll Infected: not-a-virus:AdWare.Win32.Suggestor.o
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0073254.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0073275.bat Infected: Trojan.BAT.KillProc.a
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0073315.bat Infected: Trojan.BAT.KillProc.a
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0073328.bat Infected: Trojan.BAT.KillProc.a
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0073344.bat Infected: Trojan.BAT.KillProc.a
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0073356.bat Infected: Trojan.BAT.KillProc.a
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0073387.exe Infected: not-a-virus:AdWare.Win32.Suggestor.q
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0073388.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.k
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0073389.exe Infected: Trojan-Downloader.Win32.Adload.v
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0073391.exe Infected: Backdoor.Win32.IRCBot.ow
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0073393.exe Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0073394.exe Infected: Trojan-Clicker.Win32.VB.li
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0073395.exe Infected: Trojan.Win32.StartPage.aib
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0073449.exe Infected: Trojan-Downloader.Win32.Agent.afi
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0073451.exe Infected: Trojan-Clicker.Win32.VB.li
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0073452.exe Infected: Trojan-Downloader.Win32.VB.xv
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0073453.exe Infected: Trojan-Downloader.Win32.VB.xu
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0074088.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0074089.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0074090.exe/data.rar/eee2.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.k
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0074090.exe/data.rar Infected: not-a-virus:AdWare.Win32.MediaMotor.k
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0074090.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.k
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0074091.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0074092.exe Infected: Trojan-Downloader.Win32.VB.vv
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0074093.dll Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0074094.dll Infected: Trojan.Win32.P2E.r
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0074095.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0074096.exe/data.rar/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0074096.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0074096.exe/data.rar/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0074096.exe/data.rar/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0074096.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0074096.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0074096.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0074097.bat Infected: Trojan.BAT.KillProc.a
C:\System Volume Information\_restore{88605F38-5271-432E-B39F-4700D52D09DF}\RP721\A0074098.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.m
C:\WINDOWS\system32\Tagasuarus5.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw
C:\WINDOWS\system32\Tagasuarus5.exe/data0003 Infected: Trojan.Win32.VB.tg
C:\WINDOWS\system32\Tagasuarus5.exe/data0006 Infected: Trojan.Win32.VB.tg
C:\WINDOWS\system32\Tagasuarus5.exe/data0007 Infected: Trojan.Win32.VB.tg
C:\WINDOWS\system32\Tagasuarus5.exe Infected: Trojan.Win32.VB.tg
C:\WINDOWS\YazzleBundle-1119.exe/data0002 Infected: Trojan.Win32.Scapur.k
C:\WINDOWS\YazzleBundle-1119.exe Infected: Trojan.Win32.Scapur.k

Scan process completed.

this could just be a hunch but i think kaspersky says i have a couple problems.

HOLY CRAP!

and now im going to go to bed.

sUBs · 03-04-2006, 01:20 AM

Good work. You did great this time round. Now let's finish these off..

Please read this post completely before begining the fix.

Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf
Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

SpywareBlaster 3.5.1 - Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain

* * * * * *

Launch Outlook Express & logon as Michele. Then delete this email:

[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 11:04:15 -0700]

* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.

* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

Tick - 'Show hidden files and folder'
Untick - 'Hide file extensions for known types'
Untick - 'Hide protected operating system files'
Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.11.eml
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.120.eml
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.121.eml
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.128.eml
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.129.eml
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.12b.eml
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.12c.eml
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.15.eml
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.16.eml
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.17.eml
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x300012b.000
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x300012e.000
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x300012f.000
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x3000130.000
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x30005b4.000
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x30005b8.000
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x30005ba.000
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x30005be.000
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.11
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.11d
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.11f
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.120
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.121
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.15
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.16
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.17
C:\Documents and Settings\pre-install\My Documents\Jeff's Stuff\hijackthis\backups\
C:\Documents and Settings\pre-install\drsmartload348a.exe
C:\Program Files\Common Files\Yazzle1119OinAdmin.exe
C:\Program Files\doco\subw.exe
C:\WINDOWS\system32\Tagasuarus5.exe
C:\WINDOWS\YazzleBundle-1119.exe
C:\aebcq9z5w.exe
C:\Documents and Settings\Michelle\drsmartload348a.exe

Delete the contents of this folder, leaving it empty:

C:\Program Files\Norton AntiVirus\Quarantine\

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache
Delete Newsgroup Subscriptions
Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program.

* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *

This will clear the System Volume Information folder)[/color]
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter

Tick on the checkbox - Turn off System Restore on all drives
Click Apply

Turn it back 'On' by unticking the same checkbox & click OK

* * * * * *

Perform another Kaspersky scan. Let's see if any remains.

* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *

In your next post, please include fresh logs from:

HiJackThis

Online scan

Tell me how the computer behaves now

Snake_2990 · 03-04-2006, 09:27 PM

ok, well, i did all that and now my account seems to be great. but... now on the other account has had the weird popups coming from nowhere. the hacktool.rootkit doesn't pop up anymore with norton.

but i do need to fix the other account as well. i did a hijack this scan and just skimmed through it and fixed:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O4 - HKLM\..\Run: [strtas] l074.exe
O4 - HKLM\..\RunServices: [strtas] l074.exe

there are probly more in it though. i didn't thoroughly go through it cause i knew that you would want to look at it first anyway.

*First are the logs that you asked for

My account HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:14:04 PM, on 3/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe
C:\Program Files\Philips\Philips Lime Service\bin\Lime.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\pre-install\My Documents\Jeff's Stuff\hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PRE-IN~1\MYDOCU~1\JEFF'S~1\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB003" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PhilipsDM] "C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PhilipsLime] "C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, March 04, 2006 17:20:14
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 4/03/2006
Kaspersky Anti-Virus database records: 180114
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 148082
Number of viruses found: 2
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 9792 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.11d.eml/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 11:04:15 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.11d.eml Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.11f.eml/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 18:41:51 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.11f.eml Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Michelle\Local Settings\Temp\!update.exe Infected: Trojan-Downloader.Win32.PurityScan.bw
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\Content.IE5\QU27O7I3\!update-3595[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.bw

Scan was interrupted by user!

^sorry but i had to abort scan right near the end. it probably only had to go another 10 minutes. i doubt that it would have picked up anything else. i had to leave and i've had the scanner crash while it was just sitting there and i didn't want to have to run the scan for another 2 and a half hours. if you really want me to run the entire thing again to check the last couple files than i will.

and finally the HJT log from the other two accounts:

*this first one i fixed a couple things.

Logfile of HijackThis v1.99.1
Scan saved at 3:56:25 PM, on 3/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe
C:\Program Files\Common Files\??sembly\d?xplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\WINDOWS\system32\FNTS~1\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\pre-install\My Documents\Jeff's Stuff\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PRE-IN~1\MYDOCU~1\JEFF'S~1\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB003" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PhilipsDM] "C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe"
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [Cits] "C:\WINDOWS\system32\FNTS~1\svchost.exe" -vt ndrv
O4 - HKCU\..\Run: [Nisbpvfy] C:\Program Files\Common Files\??sembly\d?xplore.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

and nobody ever goes on this account so it's probly pretty clean:

Logfile of HijackThis v1.99.1
Scan saved at 3:49:42 PM, on 3/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\pre-install\My Documents\Jeff's Stuff\hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PRE-IN~1\MYDOCU~1\JEFF'S~1\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB003" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PhilipsDM] "C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe"
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

o ya and i took screenshots of some of the popups that are still poping up on the one account. just ask if ya want them for any reason.

02-22-2006, 07:26 AM	#1 (permalink)
Snake_2990 Registered User Join Date: Jul 2004 Posts: 53 OS: XP	got some weird program that won't go away i've had this problem with other viruses so many times before and i got another one. ive used ad-aware and spybot and each time i log on norton says that there is bla bla bla hack.tool located in c:/windows/system32/directx.sys (might not be exact address) and it says that it has taken no action to get rid of it or anything. i went and looked for it and couldn't find it so that i could delete it manually but i cannot find it anywhere. and i have the hide system files and the show hidden files thingy all done so i should be able to see it if it were there. and now im using hijackthis as a last resort to get rid of this thing. it has a pretty high threat and i can't find it. please check this log for me. thank you. Logfile of HijackThis v1.99.1 Scan saved at 4:25:04 PM, on 2/21/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe C:\WINDOWS\system32\l074.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe C:\Program Files\Philips\Philips Lime Service\bin\Lime.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\pre-install\My Documents\Jeff's Stuff\hijackthis\HijackThis.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PRE-IN~1\MYDOCU~1\JEFF'S~1\spybot\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [strtas] l074.exe O4 - HKLM\..\RunServices: [strtas] l074.exe O4 - HKCU\..\Run: [strtas] l074.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

02-22-2006, 01:06 PM	#2 (permalink)
bry623 Manager, The Conversation Pit/Analyst, Security Team Join Date: Apr 2002 Location: NW Territory circa 1787 Posts: 11,147 OS: winxp pro sp2	There seems to be some info missing from your HIjackThis log. Could you please repost? __________________ No one can make you feel inferior without your consent.- Eleanor Roosevelt

02-22-2006, 03:23 PM	#5 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,247 OS: N/A	Download and run Blacklight After you start the program and accept the license, you should see the first step (Figure 1), which lets you scan for hidden items. Note that you must have local administrative privileges to run the program. Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this When it finishes, click Next. You may get a screen similar to the picture below. Click on Close BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log __________________

02-27-2006, 08:35 PM	#7 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,247 OS: N/A	Let's try another rootkit scanner Download RootKitRevealer.zip Unzip it to the desktop, run it, and click Scan. This will generate a log file. Please post the entire contents of the log file in your next reply. __________________

03-01-2006, 09:23 PM	#12 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,247 OS: N/A	Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. * * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * * Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs: webHancer Please note any other programs that you dont recognize in that list in your next response * * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * * Do a HijackThis scan & place a check next to these items and select "Fix checked": R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R3 - Default URLSearchHook is missing O2 - BHO: Yvakt Class - {0DEADE31-9A37-48B2-921A-7825EA93D32A} - C:\WINDOWS\system32\wdc1n.dll O2 - BHO: (no name) - {CE535C3C-C8A2-D205-F0F8-973B800074B2} - C:\WINDOWS\system32\eab.dll O4 - HKLM\..\Run: [strtas] l074.exe O4 - HKLM\..\Run: [winsysupd] C:\\winsysupd12.exe O4 - HKLM\..\Run: [winsysban] C:\\winsysban12.exe O4 - HKLM\..\Run: [NJv7jy] "C:\WINDOWS\system32\dgfgql.exe" O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe O4 - HKLM\..\Run: [win3207322129673] C:\WINDOWS\win3207322129673.exe O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe" O4 - HKLM\..\Run: [2<\|9] C:\windows\eee2.exe O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\system32\loadadv64 O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames12.exe O4 - HKLM\..\Run: [LWS] C:\windows\eee2.exe O4 - HKLM\..\RunServices: [strtas] l074.exe O4 - HKCU\..\Run: [strtas] l074.exe O15 - Trusted Zone: .media-motor.net O15 - Trusted Zone: .popuppers.com O18 - Filter: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - C:\WINDOWS\system32\wdc1n.dll O20 - AppInit_DLLs: repairs303169536.dll * * * * * Download & SAVE ON DESKTOP, the file attached - fix.zip It's important that the file must be saved to Desktop From within it, double-click on fix.exe** & allow it to run It shall reboot your computer automatically & present you with a log which you should post back here. Also post a fresh HJT log __________________ Last edited by sUBs; 03-28-2006 at 07:50 AM.

02-22-2006, 03:18 PM	#3 (permalink)
Snake_2990 Registered User Join Date: Jul 2004 Posts: 53 OS: XP	ya there was missing info. i had a previous log and put the stuff that i already had someone check out onto the ignore list heres the full log: Logfile of HijackThis v1.99.1 Scan saved at 3:17:19 PM, on 2/22/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe C:\WINDOWS\system32\l074.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe C:\Program Files\Philips\Philips Lime Service\bin\Lime.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\pre-install\My Documents\Jeff's Stuff\hijackthis\HijackThis.exe O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PRE-IN~1\MYDOCU~1\JEFF'S~1\spybot\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB003" /M "Stylus Photo R800" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [PhilipsDM] "C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe" O4 - HKLM\..\Run: [strtas] l074.exe O4 - HKLM\..\RunServices: [strtas] l074.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [PhilipsLime] "C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe" O4 - HKCU\..\Run: [strtas] l074.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835 O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

02-22-2006, 03:21 PM	#4 (permalink)
Snake_2990 Registered User Join Date: Jul 2004 Posts: 53 OS: XP	o ya and the virus is hacktool.rootkit and norton cant do anything to it.

02-27-2006, 08:27 PM	#6 (permalink)
Snake_2990 Registered User Join Date: Jul 2004 Posts: 53 OS: XP	02/27/06 20:19:19 [Info]: BlackLight Engine 1.0.32 initialized 02/27/06 20:19:19 [Info]: OS: 5.1 build 2600 (Service Pack 2) 02/27/06 20:19:20 [Note]: 7019 4 02/27/06 20:19:20 [Note]: 7005 0 02/27/06 20:19:29 [Note]: 7006 0 02/27/06 20:19:29 [Note]: 7011 3480 02/27/06 20:19:30 [Note]: FSRAW library version 1.7.1015 02/27/06 20:20:51 [Note]: 7007 0 it couldn't find anything. and i don't understand why i couldn't see the file anyway when i run my computer with the hidden and the system files and extensions and all that good stuff showing. so if it was there as even a hidden file shouldn't i have seen it? and what does the hacktool.rootkit do exactly?

02-28-2006, 09:27 PM	#8 (permalink)
Snake_2990 Registered User Join Date: Jul 2004 Posts: 53 OS: XP	hey downloaded it extracted it and now it wont run. it goes to run but doesn't go anywhere. there attacking the computer now. ive gotten a bunch of new stuff adpopper stuff and just a bunch of crap. things are getting installed. i need to get these off and fast. i've seen what this stuff can do. im running spybot and adaware to keep most of the stuff down. ill post another hijack log after.

03-01-2006, 08:59 PM	#11 (permalink)
Snake_2990 Registered User Join Date: Jul 2004 Posts: 53 OS: XP	hijack this log Logfile of HijackThis v1.99.1 Scan saved at 8:56:55 PM, on 3/1/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\carpserv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe C:\WINDOWS\system32\l074.exe C:\winsysban12.exe C:\WINDOWS\system32\dgfgql.exe C:\WINDOWS\SYSC00.exe C:\windows\eee2.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\klsx9e.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe C:\Program Files\Philips\Philips Lime Service\bin\Lime.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\HPZipm12.exe C:\Documents and Settings\pre-install\My Documents\Jeff's Stuff\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R3 - Default URLSearchHook is missing O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: Yvakt Class - {0DEADE31-9A37-48B2-921A-7825EA93D32A} - C:\WINDOWS\system32\wdc1n.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PRE-IN~1\MYDOCU~1\JEFF'S~1\spybot\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {CE535C3C-C8A2-D205-F0F8-973B800074B2} - C:\WINDOWS\system32\eab.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB003" /M "Stylus Photo R800" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [PhilipsDM] "C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe" O4 - HKLM\..\Run: [strtas] l074.exe O4 - HKLM\..\Run: [winsysupd] C:\\winsysupd12.exe O4 - HKLM\..\Run: [winsysban] C:\\winsysban12.exe O4 - HKLM\..\Run: [NJv7jy] "C:\WINDOWS\system32\dgfgql.exe" O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe O4 - HKLM\..\Run: [win3207322129673] C:\WINDOWS\win3207322129673.exe O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe" O4 - HKLM\..\Run: [2<\|9] C:\windows\eee2.exe O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\system32\loadadv64 O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames12.exe O4 - HKLM\..\Run: [LWS] C:\windows\eee2.exe O4 - HKLM\..\RunServices: [strtas] l074.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [PhilipsLime] "C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe" O4 - HKCU\..\Run: [strtas] l074.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: .media-motor.net O15 - Trusted Zone: *.popuppers.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835 O18 - Filter: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - C:\WINDOWS\system32\wdc1n.dll O20 - AppInit_DLLs: repairs303169536.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: MBNCTF - Sysinternals - www.sysinternals.com - C:\DOCUME~1\PRE-IN~1\LOCALS~1\Temp\MBNCTF.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

03-02-2006, 05:30 PM	#13 (permalink)
Snake_2990 Registered User Join Date: Jul 2004 Posts: 53 OS: XP	ok. i couldn't find webhancer on the list but i did find a surf sidekick and i tried to uninstall it and this popped up so i hit cancel. i know i need to get rid of this one but id like you to tell me how u want me to get rid of it. and there is a program called Indeo® software. im not sure what it is it's probly nothing it doesn't raise any red flags to me and there is a program called ICC color profiles. both i think i might have already had those on their i just wanted to let u know in case it was anything i need to get rid of. im gonna go do the other things now in safe mode. Last edited by Snake_2990; 03-02-2006 at 05:32 PM.

03-02-2006, 06:02 PM	#14 (permalink)
Snake_2990 Registered User Join Date: Jul 2004 Posts: 53 OS: XP	the fix.exe wont run it says script ended and that i should save the zipped/archive to my desktop press any key... and i already have its already on my desktop. well heres my hijack log anyway. Logfile of HijackThis v1.99.1 Scan saved at 6:01:26 PM, on 3/2/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\carpserv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe C:\mousepad.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Philips\Philips Lime Service\bin\Lime.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\pre-install\My Documents\Jeff's Stuff\hijackthis\HijackThis.exe R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PRE-IN~1\MYDOCU~1\JEFF'S~1\spybot\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB003" /M "Stylus Photo R800" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [PhilipsDM] "C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe" O4 - HKLM\..\Run: [keyboard] C:\\keyboard.exe O4 - HKLM\..\Run: [mousepad] C:\\mousepad.exe O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [PhilipsLime] "C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe" O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835 O20 - AppInit_DLLs: repairs303169536.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: MBNCTF - Sysinternals - www.sysinternals.com - C:\DOCUME~1\PRE-IN~1\LOCALS~1\Temp\MBNCTF.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe not everything came off as you probly have already found out.

03-02-2006, 08:28 PM	#15 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,247 OS: N/A	As for SurfSideKick, type in the code as displayed by your screenshot. You need to do that to remove it. Fix.zip must be located on your Desktop. It musn't be renamed nor should it be placed into another folder. Please try running it again. __________________

03-03-2006, 02:38 PM	#16 (permalink)
Snake_2990 Registered User Join Date: Jul 2004 Posts: 53 OS: XP	i use firefox and it would download files to my downloads folder and when i moved it it wouldn't work so i used internet explorer and had it downloaded straight to the desktop and it worked perfectly fine. I don't know why it didn't work before. anyway here's the fix log Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\mteccpni ***************** Script file located at: \??\C:\Documents and Settings\fkpftwyy.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: File C:\WINDOWS\system32\l074.exe deleted successfully. File C:\winsysban12.exe deleted successfully. File C:\WINDOWS\system32\dgfgql.exe deleted successfully. File C:\WINDOWS\SYSC00.exe deleted successfully. File C:\windows\eee2.exe deleted successfully. File C:\WINDOWS\system32\klsx9e.exe deleted successfully. File C:\winsysupd12.exe deleted successfully. File C:\WINDOWS\win3207322129673.exe not found! Deletion of file C:\WINDOWS\win3207322129673.exe failed! Could not process line: C:\WINDOWS\win3207322129673.exe Status: 0xc0000034 File C:\WINDOWS\system32\loadadv64 deleted successfully. File C:\gimmygames12.exe deleted successfully. File C:\WINDOWS\system32\wdc1n.dll not found! Deletion of file C:\WINDOWS\system32\wdc1n.dll failed! Could not process line: C:\WINDOWS\system32\wdc1n.dll Status: 0xc0000034 File C:\WINDOWS\system32\eab.dll not found! Deletion of file C:\WINDOWS\system32\eab.dll failed! Could not process line: C:\WINDOWS\system32\eab.dll Status: 0xc0000034 File C:\WINDOWS\system32\repairs303169536.dll not found! Deletion of file C:\WINDOWS\system32\repairs303169536.dll failed! Could not process line: C:\WINDOWS\system32\repairs303169536.dll Status: 0xc0000034 File C:\Documents and Settings\pre-install\Application Data\Sskuknwrd.dll not found! Deletion of file C:\Documents and Settings\pre-install\Application Data\Sskuknwrd.dll failed! Could not process line: C:\Documents and Settings\pre-install\Application Data\Sskuknwrd.dll Status: 0xc0000034 File C:\Documents and Settings\pre-install\Cookies\pre-install@hotstarscoop[1].txt deleted successfully. Could not open file C:\Documents and Settings\pre-install\Cookies\pre-install@mbop[1].txt 3/1/2006 for deletion Deletion of file C:\Documents and Settings\pre-install\Cookies\pre-install@mbop[1].txt 3/1/2006 failed! Could not process line: C:\Documents and Settings\pre-install\Cookies\pre-install@mbop[1].txt 3/1/2006 Status: 0xc0000033 Could not open file C:\Documents and Settings\pre-install\Cookies\pre-install@mbop[2].txt 3/1/2006 for deletion Deletion of file C:\Documents and Settings\pre-install\Cookies\pre-install@mbop[2].txt 3/1/2006 failed! Could not process line: C:\Documents and Settings\pre-install\Cookies\pre-install@mbop[2].txt 3/1/2006 Status: 0xc0000033 File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\016BODQJ\isearch[1].htm not found! Deletion of file C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\016BODQJ\isearch[1].htm failed! Could not process line: C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\016BODQJ\isearch[1].htm Status: 0xc0000034 File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\016BODQJ\rmtag3[2].js deleted successfully. File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\C5QRO5YR\o[1].css deleted successfully. File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\C5QRO5YR\search[1].htm not found! Deletion of file C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\C5QRO5YR\search[1].htm failed! Could not process line: C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\C5QRO5YR\search[1].htm Status: 0xc0000034 File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\C5QRO5YR\search[2].htm not found! Deletion of file C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\C5QRO5YR\search[2].htm failed! Could not process line: C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\C5QRO5YR\search[2].htm Status: 0xc0000034 File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\isearch[1].htm deleted successfully. File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[1].htm not found! Deletion of file C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[1].htm failed! Could not process line: C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[1].htm Status: 0xc0000034 File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[2].htm 3 not found! Deletion of file C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[2].htm 3 failed! Could not process line: C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[2].htm 3 Status: 0xc0000034 File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[3].htm not found! Deletion of file C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[3].htm failed! Could not process line: C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[3].htm Status: 0xc0000034 File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[4].htm not found! Deletion of file C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[4].htm failed! Could not process line: C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\GDQJSDI7\search[4].htm Status: 0xc0000034 File C:\Documents and Settings\pre-install\Local Settings\Temporary Internet Files\Content.IE5\WDYB85Q3\Ali_Landry[1].htm deleted successfully. File C:\WINDOWS\ms046733221292006.exe deleted successfully. Folder C:\Program Files\webHancer not found! Deletion of folder C:\Program Files\webHancer failed! Could not process line: C:\Program Files\webHancer Status: 0xc0000034 Registry key HKLM\SOFTWARE\Classes\Fseytdc.Ariaqudok deleted successfully. Registry key HKLM\SOFTWARE\Classes\Fseytdc.Ariaqudok.1 deleted successfully. Completed script processing. ***************** Finished! Terminate. hijack this log: Logfile of HijackThis v1.99.1 Scan saved at 2:37:05 PM, on 3/3/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\carpserv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe C:\mousepad.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Philips\Philips Lime Service\bin\Lime.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\pre-install\My Documents\Jeff's Stuff\hijackthis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\PRE-IN~1\MYDOCU~1\JEFF'S~1\spybot\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB003" /M "Stylus Photo R800" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [PhilipsDM] "C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe" O4 - HKLM\..\Run: [keyboard] C:\\keyboard.exe O4 - HKLM\..\Run: [mousepad] C:\\mousepad.exe O4 - HKLM\..\Run: [strtas] l074.exe O4 - HKLM\..\RunServices: [strtas] l074.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [PhilipsLime] "C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe" O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe O4 - HKCU\..\Run: [strtas] l074.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835 O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: MBNCTF - Unknown owner - C:\DOCUME~1\PRE-IN~1\LOCALS~1\Temp\MBNCTF.exe (file missing) O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe ^certain things are coming back.

03-04-2006, 01:20 AM	#19 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,247 OS: N/A	Good work. You did great this time round. Now let's finish these off.. Please read this post completely before begining the fix. Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards. SpywareBlaster 3.5.1 - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items IE-SpyAD - Extract the contents to a new folder From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list. Then return to the main menu. Select option #4 - Add the old porn sites domain * * * * * * Launch Outlook Express & logon as Michele. Then delete this email: [From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 11:04:15 -0700] * * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * * 1. Restart your computer 2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3. Instead of Windows loading as normal, a menu should appear 4. Select the option to run Windows in Safe Mode. * * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * * If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools -> Folder Options -> View tab. Tick - 'Show hidden files and folder' Untick - 'Hide file extensions for known types' Untick - 'Hide protected operating system files' Click Yes to confirm & then click OK Locate and delete the following files/folders: (let me know if you fail to find/delete any) C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.11.eml C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.120.eml C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.121.eml C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.128.eml C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.129.eml C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.12b.eml C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.12c.eml C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.15.eml C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.16.eml C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\MSN\db\r1std8-msn-com.17.eml C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x300012b.000 C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x300012e.000 C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x300012f.000 C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x3000130.000 C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x30005b4.000 C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x30005b8.000 C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x30005ba.000 C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\Mail (r1std8@msn.com)\stm0x30005be.000 C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.11 C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.11d C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.11f C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.120 C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.121 C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.15 C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.16 C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\MSN\db(2)\r1std8-msn-com.17 C:\Documents and Settings\pre-install\My Documents\Jeff's Stuff\hijackthis\backups\ C:\Documents and Settings\pre-install\drsmartload348a.exe C:\Program Files\Common Files\Yazzle1119OinAdmin.exe C:\Program Files\doco\subw.exe C:\WINDOWS\system32\Tagasuarus5.exe C:\WINDOWS\YazzleBundle-1119.exe C:\aebcq9z5w.exe C:\Documents and Settings\Michelle\drsmartload348a.exe Delete the contents of this folder, leaving it empty: C:\Program Files\Norton AntiVirus\Quarantine\ * * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * * Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider initially to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files 4. Click OK 5. Press the CleanUp! button to start the program. * * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * * This will clear the System Volume Information folder)[/color] Go to Start >> Run - type control sysdm.cpl,,4 & press Enter Tick on the checkbox - Turn off System Restore on all drives Click Apply Turn it back 'On' by unticking the same checkbox & click OK * * * * * * Perform another Kaspersky scan. Let's see if any remains. * * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * * In your next post, please include fresh logs from: HiJackThis Online scan Tell me how the computer behaves now __________________