Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

can't get rid of it!

(New)
(!)

godenver's Avatar
godenver godenver is offline
Junior Member with 8 posts.
THREAD STARTER
 
Join Date: Mar 2005
Experience: Intermediate
20-Mar-2005, 10:26 PM #1
can't get rid of it!
I have a mixture of viruses, trojans, and stuff and have quite a few adds popping up. I am using Windows XP. I have tried AdAware, Spy Sweeper, Spybot but none completely got rid of my problem. I have scanned with Hijackthis and Panda and the reports are below. Please help!

Logfile of HijackThis v1.99.0
Scan saved at 10:10:06 PM, on 3/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\windows\system32\fcznre.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\ms04220442034.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\System32\sysmonnt.exe
C:\Documents and Settings\Dave Willoughby\Application Data\eetu.exe
C:\WINDOWS\System32\??ool32.exe
C:\windows\system32\packager.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\DAVEWI~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [fcznre] c:\windows\system32\fcznre.exe
O4 - HKLM\..\Run: [o9b9kvmc] C:\Program Files\o9b9kvmc\o9b9kvmc.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [ms04220442034] C:\WINDOWS\ms04220442034.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
O4 - HKLM\..\Run: [nmbix] C:\WINDOWS\nmbix.exe
O4 - HKLM\..\Run: [ps7f3pP] shgip32.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteezf32.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [YBopRfj2j] sentil.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Dave Willoughby\Application Data\eetu.exe
O4 - HKCU\..\Run: [Quahnpn] C:\WINDOWS\System32\??ool32.exe
O4 - HKCU\..\Run: [rfqq] C:\PROGRA~1\COMMON~1\rfqq\rfqqm.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

-----------------------------------------------------------------------


Incident Status Location

Adware:Adware/Transponder No disinfected C:\WINDOWS\dlmax.dll
Virus:Trj/Startpage.SJ No disinfected Operating system
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\msexreg.exe
Adware:Adware/nCase No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINDOWS\FARMMEXT.exe
Adware:Adware/IEPlugin No disinfected C:\WINDOWS\systb.dll
Adware:Adware/Twain-Tech No disinfected C:\DOCUME~1\DAVEWI~1\LOCALS~1\Temp\THI*.tmp
Adware:Adware/WUpd No disinfected Windows Registry
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\DrTemp\mm_reco.exe
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.cab[farmmext.inf]
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.cab[farmmext.exe]
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.cab[farmmext.ini]
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.exe
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.ini
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.cab[farmmext.inf]
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.cab[farmmext.exe]
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.cab[farmmext.ini]
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.exe
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.ini
Adware:Adware/TopRebates No disinfected C:\RECYCLER\S-1-5-21-2025429265-1993962763-1060284298-1004\Dc5\EbatesMoeMoneyMaker1.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\dlmax.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\setup4002b.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\farmmext.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\dlmax.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\farmmext.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\Pynix.inf
Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\systb.dll
Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\systb.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system\irdrirtn.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\angelex.exe
Adware:Adware/WinTools No disinfected C:\WINDOWS\system32\Cache\adl_ibis_AS2.exe
Spyware:Spyware/ClearSearch No disinfected C:\WINDOWS\system32\Cache\CSv13P108.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\Cache\installer_MARKETING17.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\Cache\pop.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\Cache\saie1101.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system32\Cache\thin-8-1-x-x.exe
Adware:Adware/AdLogix No disinfected C:\WINDOWS\system32\Cache\videoinst.exe
Adware:Adware/TopRebates No disinfected C:\WINDOWS\system32\Cache\WebRebates_Auto_InstallSilent.exe
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\Cache\wrapperouter.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\mqexdlm.srg
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\msexreg.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\zeta.exe
Flrman1's Avatar
Flrman1   (Mark) Flrman1 is offline Flrman1 has a Profile Picture
Member with 46,322 posts.
 
Join Date: Jul 2002
Location: Thomasville, NC
21-Mar-2005, 09:03 AM #2
Hi godenver

Welcome to TSG!

A new version of Hijack This has been released so get rid of the old one and Click here to download the new one, come back here and post the log from it.

I see you are running Hijack This from a temp folder now. This is a bad idea because it cannot create and restore backups from there. Before you download the new version create a new folder in My Documents and name it Hijack This. Now click on the link I posted above and when the box pops up asking you to Open or Save choose Save and save it to the Hijack This folder you created. That way it can create and restore backups if needed. HJT will store the backups in the same location that it is run from.
__________________
If I have helped solve your problem, please Click Here and make a donation to help keep this great site running. 100% goes directly to this site.
godenver's Avatar
godenver godenver is offline
Junior Member with 8 posts.
THREAD STARTER
 
Join Date: Mar 2005
Experience: Intermediate
21-Mar-2005, 09:34 PM #3
I saved the newest version of HijackThis into My Documents and ran the program. Here is the log...

Logfile of HijackThis v1.99.1
Scan saved at 9:31:50 PM, on 3/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\windows\system32\fcznre.exe
C:\WINDOWS\SysCheckBop32.exe
C:\WINDOWS\ms04220442034.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\sysmonnt.exe
C:\Documents and Settings\Dave Willoughby\Application Data\eetu.exe
C:\WINDOWS\System32\??ool32.exe
C:\windows\system32\calc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dave Willoughby\My Documents\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [fcznre] c:\windows\system32\fcznre.exe
O4 - HKLM\..\Run: [o9b9kvmc] C:\Program Files\o9b9kvmc\o9b9kvmc.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [ms04220442034] C:\WINDOWS\ms04220442034.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
O4 - HKLM\..\Run: [nmbix] C:\WINDOWS\nmbix.exe
O4 - HKLM\..\Run: [ps7f3pP] shgip32.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteezf32.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [YBopRfj2j] sentil.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Dave Willoughby\Application Data\eetu.exe
O4 - HKCU\..\Run: [Quahnpn] C:\WINDOWS\System32\??ool32.exe
O4 - HKCU\..\Run: [rfqq] C:\PROGRA~1\COMMON~1\rfqq\rfqqm.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
Flrman1's Avatar
Flrman1   (Mark) Flrman1 is offline Flrman1 has a Profile Picture
Member with 46,322 posts.
 
Join Date: Jul 2002
Location: Thomasville, NC
22-Mar-2005, 08:02 AM #4
Go here and follow the directions to download and run the trial version of KAV 5 Personal with the extended database. Be sure that you take your time and be careful to follow the directions exactly as given there.

After you have done that, post the log from the KAV scan along with a new Hijack This log.
godenver's Avatar
godenver godenver is offline
Junior Member with 8 posts.
THREAD STARTER
 
Join Date: Mar 2005
Experience: Intermediate
23-Mar-2005, 12:49 AM #5
i went to the site, downloaded KAV, and installed it on my computer making sure to follow all the directions on the site. when i clicked on "scan my computer" in the KAV program, it gave me the following error message:

An anti-virus scan cannot be performed because your anti-virus database is corrupted. Please mention detailed error code (24) when contacting Kaspersky Lab's Technical Support.

what should i do now?
Flrman1's Avatar
Flrman1   (Mark) Flrman1 is offline Flrman1 has a Profile Picture
Member with 46,322 posts.
 
Join Date: Jul 2002
Location: Thomasville, NC
23-Mar-2005, 08:19 AM #6
Redownload the updates and try again.
godenver's Avatar
godenver godenver is offline
Junior Member with 8 posts.
THREAD STARTER
 
Join Date: Mar 2005
Experience: Intermediate
24-Mar-2005, 07:06 AM #7
reloaded and it worked the second time. here is the log from KAV followed by the new HijackThis log.

Statistics:
Task start time: 3/24/2005 2:15:52 AM
Task completion time: 3/24/2005 4:26:35 AM
Objects scanned: 145196
Viruses detected: 23
Viruses disinfected: 0
Objects deleted: 23
Objects quarantined: 0

Settings:
Objects to be scanned:
My Computer
If an infected object is found:
Perform recommended action
Scan level:
Recommended
Objects to be excluded from the scan scope:
Option not used

Report:
C:\Dave's Files\Stuff\GAMEOFTHECENTURY.EXE is infected with a virus not-virus:Joke.Win32.JepRuss 3/24/2005 2:23:08 AM
C:\Dave's Files\Stuff\GAMEOFTHECENTURY.EXE moved to the backup storage 3/24/2005 2:23:08 AM
C:\Dave's Files\Stuff\GAMEOFTHECENTURY.EXE deleted 3/24/2005 2:23:09 AM
C:\Dave's Files\Stuff\WaschingMachine.bat is infected with a virus not-virus:Joke.Win32.Train 3/24/2005 2:23:10 AM
C:\Dave's Files\Stuff\WaschingMachine.bat moved to the backup storage 3/24/2005 2:23:10 AM
C:\Dave's Files\Stuff\WaschingMachine.bat deleted 3/24/2005 2:23:10 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\related.htm password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc.zip\dave willoughby@atdmt[1].txt password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BargainBuddy.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BargainBuddy.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip\eZinstall.exe password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin1.zip\lu.dat password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin1.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin2.zip\systb.dll password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin2.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin3.zip\wupdt.exe password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin3.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MySearch.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MySearch.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MySearch1.zip\bar/History/search password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MySearch1.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer1.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer1.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer2.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer2.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer1.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer1.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer2.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer2.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer3.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer3.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer4.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer4.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer5.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer5.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\DrTemp\mm_reco.exe is infected with a virus not-a-virus:AdWare.BetterInternet 3/24/2005 2:32:33 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\DrTemp\mm_reco.exe moved to the backup storage 3/24/2005 2:32:34 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\DrTemp\mm_reco.exe deleted 3/24/2005 2:32:34 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI190C.tmp\MMaker4b.exe/data0004 is infected with a virus not-a-virus:AdWare.WebRebates.d 3/24/2005 2:32:37 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI190C.tmp\MMaker4b.exe moved to the backup storage 3/24/2005 2:32:37 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI190C.tmp\MMaker4b.exe deleted 3/24/2005 2:32:37 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI1C5E.tmp\MMaker4b.exe/data0004 is infected with a virus not-a-virus:AdWare.WebRebates.d 3/24/2005 2:32:38 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI1C5E.tmp\MMaker4b.exe moved to the backup storage 3/24/2005 2:32:38 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI1C5E.tmp\MMaker4b.exe deleted 3/24/2005 2:32:38 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI289F.tmp\MMaker4b.exe/data0004 is infected with a virus not-a-virus:AdWare.WebRebates.d 3/24/2005 2:32:40 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI289F.tmp\MMaker4b.exe moved to the backup storage 3/24/2005 2:32:41 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI289F.tmp\MMaker4b.exe deleted 3/24/2005 2:32:41 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI323.tmp\MMaker4b.exe/data0004 is infected with a virus not-a-virus:AdWare.WebRebates.d 3/24/2005 2:32:42 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI323.tmp\MMaker4b.exe moved to the backup storage 3/24/2005 2:32:42 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI323.tmp\MMaker4b.exe deleted 3/24/2005 2:32:42 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI33E.tmp\MMaker4b.exe/data0004 is infected with a virus not-a-virus:AdWare.WebRebates.d 3/24/2005 2:32:43 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI33E.tmp\MMaker4b.exe moved to the backup storage 3/24/2005 2:32:43 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI33E.tmp\MMaker4b.exe deleted 3/24/2005 2:32:43 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI658F.tmp\MMaker4b.exe/data0004 is infected with a virus not-a-virus:AdWare.WebRebates.d 3/24/2005 2:32:45 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI658F.tmp\MMaker4b.exe moved to the backup storage 3/24/2005 2:32:46 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI658F.tmp\MMaker4b.exe deleted 3/24/2005 2:32:46 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI7843.tmp\MMaker4b.exe/data0004 is infected with a virus not-a-virus:AdWare.WebRebates.d 3/24/2005 2:32:47 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI7843.tmp\MMaker4b.exe moved to the backup storage 3/24/2005 2:32:47 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI7843.tmp\MMaker4b.exe deleted 3/24/2005 2:32:47 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI7C3F.tmp\MMaker4b.exe/data0004 is infected with a virus not-a-virus:AdWare.WebRebates.d 3/24/2005 2:32:48 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI7C3F.tmp\MMaker4b.exe moved to the backup storage 3/24/2005 2:32:49 AM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI7C3F.tmp\MMaker4b.exe deleted 3/24/2005 2:32:49 AM
C:\Program Files\Ebates_MoeMoneyMaker\disp350.exe is infected with a virus not-a-virus:AdWare.WebRebates.c 3/24/2005 2:43:07 AM
C:\Program Files\Ebates_MoeMoneyMaker\disp350.exe moved to the backup storage 3/24/2005 2:43:07 AM
C:\Program Files\Ebates_MoeMoneyMaker\disp350.exe deleted 3/24/2005 2:43:07 AM
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe is infected with a virus not-a-virus:AdWare.WebRebates.d 3/24/2005 2:43:08 AM
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe moved to the backup storage 3/24/2005 2:43:08 AM
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe deleted 3/24/2005 2:43:09 AM
C:\WINDOWS\autoheal.exe/stream/data0001 is infected with a virus not-a-virus:AdWare.BargainBuddy.n 3/24/2005 3:17:31 AM
C:\WINDOWS\autoheal.exe moved to the backup storage 3/24/2005 3:17:32 AM
C:\WINDOWS\autoheal.exe is infected with a virus not-a-virus:AdWare.BargainBuddy.n 3/24/2005 3:17:32 AM
C:\WINDOWS\autoheal.exe deleted 3/24/2005 3:17:32 AM
C:\WINDOWS\system32\angelex.exe is infected with a virus not-a-virus:AdWare.BargainBuddy.n 3/24/2005 4:16:33 AM
C:\WINDOWS\system32\angelex.exe moved to the backup storage 3/24/2005 4:16:34 AM
C:\WINDOWS\system32\angelex.exe deleted 3/24/2005 4:16:34 AM
C:\WINDOWS\system32\instsrv.exe is infected with a virus not-a-virus:RiskWare.Tool.ServiceRunner.f 3/24/2005 4:17:39 AM
C:\WINDOWS\system32\instsrv.exe moved to the backup storage 3/24/2005 4:17:39 AM
C:\WINDOWS\system32\instsrv.exe deleted 3/24/2005 4:17:39 AM
C:\WINDOWS\system32\Cache\AMEX_54.exe/WISE0007.BIN is infected with a virus TrojanDownloader.Win32.TSUpdate.f 3/24/2005 4:20:07 AM
C:\WINDOWS\system32\Cache\AMEX_54.exe moved to the backup storage 3/24/2005 4:20:07 AM
C:\WINDOWS\system32\Cache\AMEX_54.exe deleted 3/24/2005 4:20:07 AM
C:\WINDOWS\system32\Cache\Kyongju.exe/data0003 is infected with a virus not-a-virus:AdWare.PurityScan.w 3/24/2005 4:20:10 AM
C:\WINDOWS\system32\Cache\Kyongju.exe moved to the backup storage 3/24/2005 4:20:10 AM
C:\WINDOWS\system32\Cache\Kyongju.exe is infected with a virus not-a-virus:AdWare.PurityScan.w 3/24/2005 4:20:11 AM
C:\WINDOWS\system32\Cache\Kyongju.exe deleted 3/24/2005 4:20:11 AM
C:\WINDOWS\system32\Cache\saie1101.exe is infected with a virus TrojanDropper.Win32.Small.mr 3/24/2005 4:20:13 AM
C:\WINDOWS\system32\Cache\saie1101.exe moved to the backup storage 3/24/2005 4:20:13 AM
C:\WINDOWS\system32\Cache\saie1101.exe deleted 3/24/2005 4:20:13 AM
C:\WINDOWS\system32\Cache\thin-8-1-x-x.exe is infected with a virus not-a-virus:AdWare.BetterInternet 3/24/2005 4:20:18 AM
C:\WINDOWS\system32\Cache\thin-8-1-x-x.exe moved to the backup storage 3/24/2005 4:20:18 AM
C:\WINDOWS\system32\Cache\thin-8-1-x-x.exe deleted 3/24/2005 4:20:18 AM
C:\WINDOWS\system32\Cache\videoinst.exe is infected with a virus TrojanDownloader.Win32.Small.wj 3/24/2005 4:20:20 AM
C:\WINDOWS\system32\Cache\videoinst.exe moved to the backup storage 3/24/2005 4:20:20 AM
C:\WINDOWS\system32\Cache\videoinst.exe deleted 3/24/2005 4:20:20 AM
C:\WINDOWS\system32\Cache\WebRebates_Auto_InstallSilent.exe/data0003 is infected with a virus not-a-virus:AdWare.WebRebates.d 3/24/2005 4:20:21 AM
C:\WINDOWS\system32\Cache\WebRebates_Auto_InstallSilent.exe moved to the backup storage 3/24/2005 4:20:21 AM
C:\WINDOWS\system32\Cache\WebRebates_Auto_InstallSilent.exe deleted 3/24/2005 4:20:22 AM
C:\WINDOWS\system32\Cache\wrapperouter.exe/WISE0006.BIN is infected with a virus not-a-virus:AdWare.VirtualBouncer.c 3/24/2005 4:20:23 AM
C:\WINDOWS\system32\Cache\wrapperouter.exe moved to the backup storage 3/24/2005 4:20:24 AM
C:\WINDOWS\system32\Cache\wrapperouter.exe is infected with a virus not-a-virus:AdWare.VirtualBouncer.c 3/24/2005 4:20:24 AM
C:\WINDOWS\system32\Cache\wrapperouter.exe deleted 3/24/2005 4:20:24 AM


--------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:01:14 AM, on 3/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
C:\Documents and Settings\Dave Willoughby\My Documents\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [fcznre] c:\windows\system32\fcznre.exe
O4 - HKLM\..\Run: [o9b9kvmc] C:\Program Files\o9b9kvmc\o9b9kvmc.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [ms04220442034] C:\WINDOWS\ms04220442034.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
O4 - HKLM\..\Run: [nmbix] C:\WINDOWS\nmbix.exe
O4 - HKLM\..\Run: [ps7f3pP] shgip32.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteezf32.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [YBopRfj2j] sentil.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Dave Willoughby\Application Data\eetu.exe
O4 - HKCU\..\Run: [Quahnpn] C:\WINDOWS\System32\??ool32.exe
O4 - HKCU\..\Run: [rfqq] C:\PROGRA~1\COMMON~1\rfqq\rfqqm.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
Flrman1's Avatar
Flrman1   (Mark) Flrman1 is offline Flrman1 has a Profile Picture
Member with 46,322 posts.
 
Join Date: Jul 2002
Location: Thomasville, NC
24-Mar-2005, 07:50 AM #8
Run KAV onbe more time in safe mode then post ne logs please.
godenver's Avatar
godenver godenver is offline
Junior Member with 8 posts.
THREAD STARTER
 
Join Date: Mar 2005
Experience: Intermediate
25-Mar-2005, 11:48 AM #9
Ran KAV and HijackThis again. here are the logs.

Statistics:
Task start time: 3/24/2005 6:10:03 PM
Task completion time: 3/24/2005 7:31:31 PM
Objects scanned: 141682
Viruses detected: 28
Viruses disinfected: 0
Objects deleted: 28
Objects quarantined: 0

Settings:
Objects to be scanned:
My Computer
If an infected object is found:
Perform recommended action
Scan level:
Recommended
Objects to be excluded from the scan scope:
Option not used

Report:
C:\Documents and Settings\All Users\Application Data\msw\MSW.exe is infected with a virus not-a-virus:AdWare.Searcher.h 3/24/2005 6:19:12 PM
C:\Documents and Settings\All Users\Application Data\msw\MSW.exe moved to the backup storage 3/24/2005 6:19:13 PM
C:\Documents and Settings\All Users\Application Data\msw\MSW.exe deleted 3/24/2005 6:19:13 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\related.htm password protected, has not been processed 3/24/2005 6:19:16 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:16 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc.zip\dave willoughby@atdmt[1].txt password protected, has not been processed 3/24/2005 6:19:16 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:16 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BargainBuddy.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:16 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BargainBuddy.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:16 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:16 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:16 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:16 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:16 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:16 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:16 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:16 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:16 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:16 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:16 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip\eZinstall.exe password protected, has not been processed 3/24/2005 6:19:16 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:16 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin1.zip\lu.dat password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin1.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin2.zip\systb.dll password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin2.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin3.zip\wupdt.exe password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin3.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MySearch.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MySearch.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MySearch1.zip\bar/History/search password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MySearch1.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer1.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer1.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer2.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer2.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer1.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer1.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer2.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer2.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer3.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer3.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer4.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer4.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer5.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer5.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\randreco.exe is infected with a virus not-a-virus:AdWare.BetterInternet 3/24/2005 6:20:41 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\randreco.exe moved to the backup storage 3/24/2005 6:20:41 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\randreco.exe deleted 3/24/2005 6:20:41 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI1232.tmp\wupdt.exe is infected with a virus Trojan-Downloader.Win32.Intexp.c 3/24/2005 6:20:44 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI1232.tmp\wupdt.exe moved to the backup storage 3/24/2005 6:20:44 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI1232.tmp\wupdt.exe deleted 3/24/2005 6:20:44 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.cab\farmmext.exe is infected with a virus Trojan-Downloader.Win32.Stubby.c 3/24/2005 6:20:44 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.cab moved to the backup storage 3/24/2005 6:20:44 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.cab\farmmext.exe deleted 3/24/2005 6:20:44 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.exe is infected with a virus Trojan-Downloader.Win32.Stubby.c 3/24/2005 6:20:44 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.exe moved to the backup storage 3/24/2005 6:20:45 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.exe deleted 3/24/2005 6:20:45 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI23F.tmp\wupdt.exe is infected with a virus Trojan-Downloader.Win32.Intexp.c 3/24/2005 6:20:45 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI23F.tmp\wupdt.exe moved to the backup storage 3/24/2005 6:20:45 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI23F.tmp\wupdt.exe deleted 3/24/2005 6:20:45 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI31FC.tmp\wupdt.exe is infected with a virus Trojan-Downloader.Win32.Intexp.c 3/24/2005 6:20:45 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI31FC.tmp\wupdt.exe moved to the backup storage 3/24/2005 6:20:45 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI31FC.tmp\wupdt.exe deleted 3/24/2005 6:20:45 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.cab\farmmext.exe is infected with a virus Trojan-Downloader.Win32.Stubby.c 3/24/2005 6:20:46 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.cab moved to the backup storage 3/24/2005 6:20:46 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.cab\farmmext.exe deleted 3/24/2005 6:20:46 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.exe is infected with a virus Trojan-Downloader.Win32.Stubby.c 3/24/2005 6:20:46 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.exe moved to the backup storage 3/24/2005 6:20:46 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.exe deleted 3/24/2005 6:20:46 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI471E.tmp\wupdt.exe is infected with a virus Trojan-Downloader.Win32.Intexp.c 3/24/2005 6:20:47 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI471E.tmp\wupdt.exe moved to the backup storage 3/24/2005 6:20:47 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI471E.tmp\wupdt.exe deleted 3/24/2005 6:20:47 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI5B67.tmp\wupdt.exe is infected with a virus Trojan-Downloader.Win32.Intexp.c 3/24/2005 6:20:47 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI5B67.tmp\wupdt.exe moved to the backup storage 3/24/2005 6:20:47 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI5B67.tmp\wupdt.exe deleted 3/24/2005 6:20:47 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI7BB5.tmp\wupdt.exe is infected with a virus Trojan-Downloader.Win32.Intexp.c 3/24/2005 6:20:48 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI7BB5.tmp\wupdt.exe moved to the backup storage 3/24/2005 6:20:48 PM
C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI7BB5.tmp\wupdt.exe deleted 3/24/2005 6:20:48 PM
C:\WINDOWS\systb.exe\systb.dll is infected with a virus not-a-virus:AdWare.ToolBar.ImiBar.d 3/24/2005 6:46:33 PM
C:\WINDOWS\systb.exe moved to the backup storage 3/24/2005 6:46:33 PM
C:\WINDOWS\systb.exe\systb.dll deleted 3/24/2005 6:46:34 PM
C:\WINDOWS\wupdsnff.exe is infected with a virus not-a-virus:AdWare.BetterInternet 3/24/2005 6:46:37 PM
C:\WINDOWS\wupdsnff.exe moved to the backup storage 3/24/2005 6:46:37 PM
C:\WINDOWS\wupdsnff.exe deleted 3/24/2005 6:46:38 PM
C:\WINDOWS\system32\eliteptb32.exe is a Trojan Trojan.Win32.StartPage.nk 3/24/2005 7:25:35 PM
C:\WINDOWS\system32\eliteptb32.exe moved to the backup storage 3/24/2005 7:25:35 PM
C:\WINDOWS\system32\eliteptb32.exe deleted 3/24/2005 7:25:35 PM
C:\WINDOWS\system32\elitervk32.exe is a Trojan Trojan.Win32.StartPage.nk 3/24/2005 7:25:36 PM
C:\WINDOWS\system32\elitervk32.exe moved to the backup storage 3/24/2005 7:25:36 PM
C:\WINDOWS\system32\elitervk32.exe deleted 3/24/2005 7:25:36 PM
C:\WINDOWS\system32\mqexdlm.srg is infected with a virus not-a-virus:AdWare.BargainBuddy.q 3/24/2005 7:26:03 PM
C:\WINDOWS\system32\mqexdlm.srg moved to the backup storage 3/24/2005 7:26:04 PM
C:\WINDOWS\system32\mqexdlm.srg deleted 3/24/2005 7:26:04 PM
C:\WINDOWS\system32\temperror32.dat is a Trojan Trojan.Win32.StartPage.nk 3/24/2005 7:26:51 PM
C:\WINDOWS\system32\temperror32.dat moved to the backup storage 3/24/2005 7:26:51 PM
C:\WINDOWS\system32\temperror32.dat deleted 3/24/2005 7:26:51 PM
C:\WINDOWS\system32\Cache\adl_ibis_AS2.exe is infected with a virus Trojan-Downloader.Win32.Wintool.e 3/24/2005 7:27:17 PM
C:\WINDOWS\system32\Cache\adl_ibis_AS2.exe moved to the backup storage 3/24/2005 7:27:17 PM
C:\WINDOWS\system32\Cache\adl_ibis_AS2.exe deleted 3/24/2005 7:27:17 PM
C:\WINDOWS\system32\Cache\AUNIcons.exe is infected with a virus Trojan-Downloader.Win32.Agent.jq 3/24/2005 7:27:18 PM
C:\WINDOWS\system32\Cache\AUNIcons.exe moved to the backup storage 3/24/2005 7:27:18 PM
C:\WINDOWS\system32\Cache\AUNIcons.exe deleted 3/24/2005 7:27:18 PM
C:\WINDOWS\system32\Cache\CSv13P108.exe is a backdoor Backdoor.Win32.Ruledor.f 3/24/2005 7:27:18 PM
C:\WINDOWS\system32\Cache\CSv13P108.exe moved to the backup storage 3/24/2005 7:27:18 PM
C:\WINDOWS\system32\Cache\CSv13P108.exe deleted 3/24/2005 7:27:18 PM
C:\WINDOWS\system32\Cache\cxtpls_loader.exe is infected with a virus Trojan-Downloader.Win32.Apropo.r 3/24/2005 7:27:19 PM
C:\WINDOWS\system32\Cache\cxtpls_loader.exe moved to the backup storage 3/24/2005 7:27:19 PM
C:\WINDOWS\system32\Cache\cxtpls_loader.exe deleted 3/24/2005 7:27:19 PM
C:\WINDOWS\system32\Cache\EDow_AS2.exe is infected with a virus Trojan-Dropper.Win32.Agent.hl 3/24/2005 7:27:19 PM
C:\WINDOWS\system32\Cache\EDow_AS2.exe moved to the backup storage 3/24/2005 7:27:19 PM
C:\WINDOWS\system32\Cache\EDow_AS2.exe deleted 3/24/2005 7:27:19 PM
C:\WINDOWS\system32\Cache\installer_MARKETING17.exe is infected with a virus Trojan-Downloader.Win32.Adload.a 3/24/2005 7:27:20 PM
C:\WINDOWS\system32\Cache\installer_MARKETING17.exe moved to the backup storage 3/24/2005 7:27:20 PM
C:\WINDOWS\system32\Cache\installer_MARKETING17.exe deleted 3/24/2005 7:27:20 PM
C:\WINDOWS\system32\Cache\pop.exe is infected with a virus not-a-virus:AdWare.WinAD.ab 3/24/2005 7:27:21 PM
C:\WINDOWS\system32\Cache\pop.exe moved to the backup storage 3/24/2005 7:27:21 PM
C:\WINDOWS\system32\Cache\pop.exe deleted 3/24/2005 7:27:21 PM
C:\WINDOWS\system32\Cache\Setup.exe/data0012 is a Trojan Trojan.Win32.VB.tg 3/24/2005 7:27:22 PM
C:\WINDOWS\system32\Cache\Setup.exe moved to the backup storage 3/24/2005 7:27:23 PM
C:\WINDOWS\system32\Cache\Setup.exe deleted 3/24/2005 7:27:24 PM
C:\WINDOWS\system32\Cache\skh2.exe/data0003 is infected with a virus Trojan-Downloader.Win32.Small.aly 3/24/2005 7:27:24 PM
C:\WINDOWS\system32\Cache\skh2.exe moved to the backup storage 3/24/2005 7:27:24 PM
C:\WINDOWS\system32\Cache\skh2.exe deleted 3/24/2005 7:27:24 PM
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ERF9X01I\protector_update[1].exe is a Trojan Trojan.Win32.StartPage.nk 3/24/2005 7:27:31 PM
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ERF9X01I\protector_update[1].exe moved to the backup storage 3/24/2005 7:27:32 PM
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ERF9X01I\protector_update[1].exe deleted 3/24/2005 7:27:32 PM


-------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:24:14 PM, on 3/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Dave Willoughby\My Documents\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (file missing)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [o9b9kvmc] C:\Program Files\o9b9kvmc\o9b9kvmc.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [ms04220442034] C:\WINDOWS\ms04220442034.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
O4 - HKLM\..\Run: [nmbix] C:\WINDOWS\nmbix.exe
O4 - HKLM\..\Run: [ps7f3pP] shgip32.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [YBopRfj2j] sentil.exe
O4 - HKCU\..\Run: [Quahnpn] C:\WINDOWS\System32\??ool32.exe
O4 - HKCU\..\Run: [rfqq] C:\PROGRA~1\COMMON~1\rfqq\rfqqm.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
Flrman1's Avatar
Flrman1   (Mark) Flrman1 is offline Flrman1 has a Profile Picture
Member with 46,322 posts.
 
Join Date: Jul 2002
Location: Thomasville, NC
25-Mar-2005, 04:55 PM #10
Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (file missing)

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)

O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe

O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16

O4 - HKLM\..\Run: [o9b9kvmc] C:\Program Files\o9b9kvmc\o9b9kvmc.exe

O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe

O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe

O4 - HKLM\..\Run: [ms04220442034] C:\WINDOWS\ms04220442034.exe

O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe

O4 - HKLM\..\Run: [nmbix] C:\WINDOWS\nmbix.exe

O4 - HKLM\..\Run: [ps7f3pP] shgip32.exe

O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"

O4 - HKCU\..\Run: [YBopRfj2j] sentil.exe

O4 - HKCU\..\Run: [Quahnpn] C:\WINDOWS\System32\??ool32.exe

O4 - HKCU\..\Run: [rfqq] C:\PROGRA~1\COMMON~1\rfqq\rfqqm.exe

O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)


Restart to safe mode.

How to start your computer in safe mode

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete these files:

C:\WINDOWS\nmbix.exe
C:\WINDOWS\ms04220442034.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\winupdt.exe
sentil.exe
shgip32.exe


Delete these folders:

C:\Program Files\o9b9kvmc
C:\Program Files\Media Pass
C:\Program Files\Ebates_MoeMoneyMaker
C:\Program Files\Common Files\rfqq

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty the Recycle Bin


Boot back to Windows normally now.


Go here and download Microsoft Antispyware Beta. First press file and check for updates and then run it.

Let it fix anything that it finds (have it quarantine them rather than delete just in case. It is a beta program and there may be false positives)

Restart your computer.

Come back here and post another Hijack This log and we'll get rid of what's left.
godenver's Avatar
godenver godenver is offline
Junior Member with 8 posts.
THREAD STARTER
 
Join Date: Mar 2005
Experience: Intermediate
26-Mar-2005, 02:53 PM #11
Followed your instructions, ran HijackThis and checked all the boxes. When I went to delete the remaining files you listed, the only ones that I could find and delete were:
C:\WINDOWS\ms04220442034.exe
C:\Program Files\Ebates_MoeMoneyMaker

The following files were ones which I could not find in Windows Explorer or Start < Search:

C:\WINDOWS\nmbix.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\winupdt.exe
sentil.exe
shgip32.exe

C:\Program Files\o9b9kvmc
C:\Program Files\Media Pass
C:\Program Files\Common Files\rfqq


So I ran HijackThis again. Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 2:52:11 PM, on 3/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Dave Willoughby\My Documents\HijackThis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
Flrman1's Avatar
Flrman1   (Mark) Flrman1 is offline Flrman1 has a Profile Picture
Member with 46,322 posts.
 
Join Date: Jul 2002
Location: Thomasville, NC
26-Mar-2005, 09:23 PM #12
The log looks fine.

Was that log made in safe mode? If so, you need to boot to normal Windows and post a log run then.
godenver's Avatar
godenver godenver is offline
Junior Member with 8 posts.
THREAD STARTER
 
Join Date: Mar 2005
Experience: Intermediate
27-Mar-2005, 08:11 PM #13
yes, i was running it in safe mode. so I ran HijackThis in normal windows mode, here is the log. also, the kapersky software is really slowing down my computer. is there something I can do about that, or should I just uninstall it?



Logfile of HijackThis v1.99.1
Scan saved at 8:08:13 PM, on 3/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Dave Willoughby\My Documents\HijackThis\hijackthis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
Flrman1's Avatar
Flrman1   (Mark) Flrman1 is offline Flrman1 has a Profile Picture
Member with 46,322 posts.
 
Join Date: Jul 2002
Location: Thomasville, NC
28-Mar-2005, 07:39 AM #14
Clean!

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.
godenver's Avatar
godenver godenver is offline
Junior Member with 8 posts.
THREAD STARTER
 
Join Date: Mar 2005
Experience: Intermediate
29-Mar-2005, 09:29 AM #15
awesome. thanks for the help. i do have one more question. ever since i've gotten this stuff on my computer, i get an error message whenever i restart my computer. The message says "Generic Host Process for Win32 Services encountered a problem and needed to close" what does that mean?
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑

Content Relevant URLs by vBSEO 3.3.2