Tech Support banner

Status
Not open for further replies.
1 - 11 of 11 Posts

·
Registered
Joined
·
8 Posts
Discussion Starter #1
HJT:

Logfile of HijackThis v1.99.1
Scan saved at 3:38:18 PM, on 2005-10-17
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\etlisrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Bell\Access Manager\app\TangoService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Bell\ACCESS~1\app\TangoManager.exe
C:\WINNT\system32\Atiidtxx.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\internat.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijack This!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.hc-sc.gc.ca"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINNT\system32\communicator.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\Bell\ACCESS~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "c:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [9a4660de9d34] C:\WINNT\system32\Atiidtxx.exe
O4 - HKLM\..\Run: [stb] C:\WINNT\system32\stb.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: BackupFavorites.lnk = C:\WINNT\hcapps\BackupFavorites.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://hc-sc.gc.ca
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.31.7.116/Java/cfs40320.cab
O16 - DPF: ConferenceRoom Java Client - http://backpack.webmaster.com/backpack/cr.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/fs5/ax/ActiveXWebCam.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97B3F258-8D53-4BCE-98EF-51573898B630}: NameServer = 206.47.244.15 206.47.244.50
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Entrust Login Interface (ELIService) - Entrust Technologies Ltd. - C:\WINNT\etlisrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Bell\Access Manager\app\TangoService.exe

kapersky:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, October 16, 2005 23:29:52
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/10/2005
Kaspersky Anti-Virus database records: 154516
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 25333
Number of viruses found: 16
Number of infected objects: 45
Number of suspicious objects: 0
Duration of the scan process: 2751 sec

Infected Object Name - Virus Name
C:\!Submit\adsnt602.exe Infected: not-a-virus:AdWare.Win32.UrlSpy.b
C:\!Submit\ATIDDC73.exe Infected: not-a-virus:AdWare.Win32.UrlSpy.b
C:\Program Files\block-checker.exe/setup.zip/2 Infected: not-a-virus:AdWare.Win32.Chiem.a
C:\Program Files\block-checker.exe/setup.zip Infected: not-a-virus:AdWare.Win32.Chiem.a
C:\Program Files\block-checker.exe Infected: not-a-virus:AdWare.Win32.Chiem.a
C:\Program Files\Fatpickle Toolbar\fatpickle.dll Infected: not-a-virus:AdWare.Win32.SideSearch.g
C:\Program Files\SurfSideKick 3\SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.t
C:\WINNT\Downloaded Program Files\CONFLICT.1\UWFX5_0001_LP1014NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.d
C:\WINNT\Downloaded Program Files\UWFX5_0001_LP1014NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.d
C:\WINNT\system32\76le2r6i.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao
C:\WINNT\system32\Atiidtxx.exe Infected: not-a-virus:AdWare.Win32.UrlSpy.b
C:\WINNT\system32\atmlib81.exe Infected: not-a-virus:AdWare.Win32.UrlSpy.b
C:\WINNT\system32\bk.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.t
C:\WINNT\system32\bk.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.t
C:\WINNT\system32\bk.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.t
C:\WINNT\system32\bk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.t
C:\WINNT\system32\clbcatq3.exe Infected: not-a-virus:AdWare.Win32.UrlSpy.b
C:\WINNT\system32\epo9qe91.exe Infected: not-a-virus:AdWare.Win32.Sahat.f
C:\WINNT\system32\j5da4o20.dll Infected: not-a-virus:AdWare.Win32.Sahat.ad
C:\WINNT\system32\ll7ej9c4.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao
C:\WINNT\system32\nfomon\nfo.ocx Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.c
C:\WINNT\system32\nfomon\nfom.dll Infected: not-a-virus:AdWare.Win32.DelphinMedia.Viewer.f
C:\WINNT\system32\nfomon\nfomon.exe Infected: not-a-virus:AdWare.Win32.DelphinMedia.Viewer.f
C:\WINNT\system32\o1p6kq7o.exe Infected: not-a-virus:AdWare.Win32.Sahat.f
C:\WINNT\system32\oubqqvlg.dll Infected: not-a-virus:AdWare.Win32.Sahat.ad
C:\WINNT\system32\p89a7282.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao
C:\WINNT\system32\PMTInstaller.exe/QLSetup.exe/data0002 Infected: not-a-virus:AdWare.Win32.QLF.b
C:\WINNT\system32\PMTInstaller.exe/QLSetup.exe Infected: not-a-virus:AdWare.Win32.QLF.b
C:\WINNT\system32\PMTInstaller.exe Infected: not-a-virus:AdWare.Win32.QLF.b
C:\WINNT\system32\repairs302972949.dll Infected: not-a-virus:AdWare.Win32.SurfSide.t
C:\WINNT\system32\vbd3vtvo.dll Infected: not-a-virus:AdWare.Win32.Sahat.ad
C:\WINNT\system32\vidmon\vidmon.exe Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.j
C:\WINNT\Temp\fatpickle.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.SideSearch.g
C:\WINNT\Temp\fatpickle.exe/stream Infected: not-a-virus:AdWare.Win32.SideSearch.g
C:\WINNT\Temp\fatpickle.exe Infected: not-a-virus:AdWare.Win32.SideSearch.g
C:\WINNT\Temp\i46.tmp Infected: not-a-virus:AdWare.Win32.SurfSide.j
C:\WINNT\Temp\iBC.tmp Infected: not-a-virus:AdWare.Win32.SurfSide.j
C:\WINNT\Temp\relatedsetup.exe Infected: Trojan-Downloader.Win32.Small.bmx
C:\WINNT\Temp\setup1050.exe/data0002 Infected: not-a-virus:AdWare.Win32.UrlSpy.b
C:\WINNT\Temp\setup1050.exe/data0004 Infected: not-a-virus:AdWare.Win32.UrlSpy.b
C:\WINNT\Temp\setup1050.exe/data0006 Infected: not-a-virus:AdWare.Win32.UrlSpy.b
C:\WINNT\Temp\setup1050.exe/data0007 Infected: not-a-virus:AdWare.Win32.UrlSpy.b
C:\WINNT\Temp\setup1050.exe Infected: not-a-virus:AdWare.Win32.UrlSpy.b
C:\WINNT\Temp\ssk3_b5.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\WINNT\Temp\w181609.stub.exe Infected: Trojan-Downloader.Win32.Delmed.a

Scan process completed.
 

·
Registered
Joined
·
8 Posts
Discussion Starter #2
hey

if i reverse my registry, is it possible to recover all my lost pictures and music files? and can i reverse it on windows 2000?
 

·
Registered
Joined
·
6,574 Posts
You cannot System Restore in Windows 2000.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Uninstall via Add/Remove:

SurfSideKick 3


Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:

C:\Program Files\block-checker.exe
C:\Program Files\Fatpickle Toolbar\fatpickle.dll
C:\Program Files\SurfSideKick 3
C:\WINNT\Downloaded Program Files\CONFLICT.1\UWFX5_0001_LP1014NetInstaller.exe
C:\WINNT\Downloaded Program Files\UWFX5_0001_LP1014NetInstaller.exe
C:\WINNT\system32\76le2r6i.ini
C:\WINNT\system32\Atiidtxx.exe
C:\WINNT\system32\atmlib81.exe
C:\WINNT\system32\bk.exe
C:\WINNT\system32\clbcatq3.exe
C:\WINNT\system32\epo9qe91.exe
C:\WINNT\system32\j5da4o20.dll
C:\WINNT\system32\ll7ej9c4.ini
C:\WINNT\system32\nfomon\
C:\WINNT\system32\o1p6kq7o.exe
C:\WINNT\system32\oubqqvlg.dll
C:\WINNT\system32\p89a7282.ini
C:\WINNT\system32\PMTInstaller.exe
C:\WINNT\system32\repairs302972949.dll
C:\WINNT\system32\vbd3vtvo.dll
C:\WINNT\system32\vidmon


Go to this folder and empty it by gointo to Edit > Selcect All and then Delete.

C:\WINNT\Temp\

Empty the Recycle Bin and empty: C:\!Submit

Reboot your computer and re run HJT. Save the log and post it in your next reply.

Run an online virus scan at Panda ActiveScan http://www.pandasoftware.com/products/activescan. Post the log from the Panda scan here.
 

·
Registered
Joined
·
8 Posts
Discussion Starter #4
hello

first, thank you for responding to my question...i have a few questions of my own i would like to ask:

1. every time i reboot my computer my settings revert back to their original defaults, like in internet explorer i changed my homepage before rebooting and then it was back to the default one, as well as many other changes i purposely changed to see if this was a problem...also i had to re-install all my other things, like itunes, msn messenger and limewire....and all my songs, pictures etc. have mysteriously disappeared from itunes and i cannot save any songs to the library. i am not sure if this is a virus but it is getting on my nerves because i just want my songs back :(

2. secondly, my computer doesnt actually belong to me, my father got it from his work, and when we log on we must log on as the "homeuser"....normally this is alright, but recently (maybe from a virus) i have been logging in and checked my documents and settings and noticed that there is no longer a "homeuser" folder and that it had been replaced by a folder named homeuser.bak.....im not sure if this is the backup or somethin, but it doesnt contain the same things as the homeuser one did.....

3. is there any possible way all my songs and pictures will return after cleaning it? or am i stuck like this forever? also, my "k:\ doesnt work anymore or is unaccesible, whatever drive that is.....damn viruses......

ok here are my logs....

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 1:20:50 PM, on 2005-10-18
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\etlisrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Bell\Access Manager\app\TangoService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Bell\ACCESS~1\app\TangoManager.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hc-sc.gc.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.hc-sc.gc.ca"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINNT\system32\communicator.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\Bell\ACCESS~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "c:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [9a4660de9d34] C:\WINNT\system32\Atiidtxx.exe
O4 - HKLM\..\Run: [stb] C:\WINNT\system32\stb.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: BackupFavorites.lnk = C:\WINNT\hcapps\BackupFavorites.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://hc-sc.gc.ca
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.31.7.116/Java/cfs40320.cab
O16 - DPF: ConferenceRoom Java Client - http://backpack.webmaster.com/backpack/cr.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/fs5/ax/ActiveXWebCam.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97B3F258-8D53-4BCE-98EF-51573898B630}: NameServer = 206.47.244.15 206.47.244.50
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Entrust Login Interface (ELIService) - Entrust Technologies Ltd. - C:\WINNT\etlisrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Bell\Access Manager\app\TangoService.exe

panda (which, after i ran it and got the results i couldnt properly open the "scan report without the window closing on me, so i will copy and paste):

Incident Location

Adware C:\WINNT\DOWNLOADED PROGRAM FILES\I......
adware C:\WINNT\SYSTEM32\Searchx.htm
spyware c:\winnt\temp\Temporary_Internet_Files\Ssk...
adware windows registry
dialer HKEY_CLASSES_ROOT\CLSID\{0D62A517-E7...
Adware Windows registry
 

·
Registered
Joined
·
6,574 Posts
Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - Choose YES when informs you the file will be deleted on Reboot. Choose NO when it asks if you want to reboot):

C:\WINNT\system32\Atiidtxx.exe
C:\WINNT\system32\stb.exe


Run HJT and fix

O4 - HKLM\..\Run: [9a4660de9d34] C:\WINNT\system32\Atiidtxx.exe
O4 - HKLM\..\Run: [stb] C:\WINNT\system32\stb.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O14 - IERESET.INF: START_PAGE_URL=http://hc-sc.gc.ca
O16 - DPF: ConferenceRoom Java Client - http://backpack.webmaster.com/backpack/cr.cab


Search and delete this file:

internat.exe


Reboot the computer now.

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next post.
 

·
Registered
Joined
·
8 Posts
Discussion Starter #6
hey

i couldnt do the trend micro thing....but when i rebooted the computer....i saw a message when i was logging on that couldnt load my user's profile because it was corrupt and instead was using a backup profile...it said to contact my administrator but im not sure if i should
 

·
Registered
Joined
·
6,574 Posts
If it's corrupt then that's why it's using the homeuser.bak, most likely. This problems will need to be discussed with the Windows Team here at TSF. Right now we need to get you free and clean of malware.

Please try TMAS again.
 

·
Registered
Joined
·
8 Posts
Discussion Starter #8
hey

the trend micro thing doesnt work...there is an error message when i try to open it...do i have to do it in safe mode?
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
You shouldn't have to run it in Safe Mode. What error message are you getting?
 

·
Registered
Joined
·
6,574 Posts
Please download CleanUp! (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Do not run it yet!

Download Ewido Security Suite - Install & Update it's database but do not run it yet.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

WARNING - CleanUp! will delete all files and folders contained within Temporary Directories. If you knowingly have items you would like to keep stored in these locations, Move them now!!!

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO SAFE MODE
  1. Restart the computer. The computer begins processing a set of instructions known as BIOS.
  2. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard.
  3. Continue to do so until the 'Windows Advanced Options' menu appears.
  4. Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

** Please disable all other antivirus programs before proceeding.**

Run Ewido:
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click OK
  • Once finished, click the Save report button
  • Save the report to your desktop
Close Ewido
* Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

Reboot to Normal Mode and return the results from the Ewido Scan in your next post. Also include a new HJT log.
 
1 - 11 of 11 Posts
Status
Not open for further replies.
Top