Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: Please review HJT

(New)
(!)

cwelaw's Avatar
cwelaw cwelaw is offline
Member with 67 posts.
THREAD STARTER
 
Join Date: Jul 2004
Experience: Beginner
23-Apr-2005, 04:34 PM #1
Solved: Please review HJT
Would you please review the HJT log attached (too big to put in here) and assist in getting this machine back to normal! Flrman did a great job for me a while back on my system. Thank you.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 95,175 posts.
 
Join Date: Aug 2003
23-Apr-2005, 08:45 PM #2
Download and Save Spywadfix to your computer from this link: http://www.thespykiller.co.uk/files/spywadfix.exe and double click on the spywadfix.exe

It will automatically extract to c:\spywad where it needs to be to run and will automatically open the remove spywad.vbs script for you ready to paste in the line mentioned below.

If it doesn't open then go to c:\spywad and double click on the remove spywad.vbs Do not run any other file from there please unless asked to.

If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

It will open an Input box. Paste this line into the box

C:\WINDOWS\System32\Tmk.exe

The script will kill that process, backup and then delete any matching files in System32 and your Windows Directory. It will create a log of all files deleted. This log file will be named Spywad.txt and be located inside the C:\Spywad Folder. The backups will also be located in two subfolders there. One named Systems and the other named Window.

The script will search the Windows Directory and delete desktop.html and popup.html if they exist. It will add entries to the log if these files are found and deleted.

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

It will restart Explorer.

Finally, it will Run hijackthis so that you can remove the orphaned run entries.

If hijackthis doesn't start, run it manually.

Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click fix checked.

O4 - HKLM\..\Run: [Aan] C:\WINDOWS\System32\Tmk.exe
O4 - HKLM\..\Run: [Shell] open32.exe
O4 - HKLM\..\Run: [Eut] C:\WINDOWS\System32\Atj.exe
O4 - HKLM\..\Run: [Vhv] C:\WINDOWS\Pke.exe
O4 - HKLM\..\Run: [Hlk] C:\WINDOWS\System32\Chf.exe
O4 - HKLM\..\Run: [Irp] C:\WINDOWS\Asf.exe
O4 - HKLM\..\Run: [Ork] C:\WINDOWS\Fdd.exe
O4 - HKLM\..\Run: [Mli] C:\WINDOWS\Qkf.exe
O4 - HKLM\..\Run: [Tav] C:\WINDOWS\System32\Lbs.exe
O4 - HKLM\..\Run: [Rec] C:\WINDOWS\Rsl.exe
O4 - HKLM\..\Run: [Jeb] C:\WINDOWS\System32\Fds.exe
O4 - HKLM\..\Run: [Qjq] C:\WINDOWS\System32\Oha.exe
O4 - HKLM\..\Run: [Sag] C:\WINDOWS\Oel.exe
O4 - HKLM\..\Run: [Pnc] C:\WINDOWS\Sok.exe
O4 - HKLM\..\Run: [Jpv] C:\WINDOWS\Ilg.exe
O4 - HKLM\..\Run: [Kor] C:\WINDOWS\System32\Omg.exe
O4 - HKLM\..\Run: [Cdo] C:\WINDOWS\System32\Kmc.exe
O4 - HKLM\..\Run: [Djg] C:\WINDOWS\System32\Edi.exe
O4 - HKLM\..\Run: [Rmg] C:\WINDOWS\System32\Pns.exe
O4 - HKLM\..\Run: [Ikl] C:\WINDOWS\Rfi.exe
O4 - HKLM\..\Run: [Lhr] C:\WINDOWS\Djf.exe
O4 - HKLM\..\Run: [Tvd] C:\WINDOWS\Nub.exe
O4 - HKLM\..\Run: [Lqp] C:\WINDOWS\System32\Qmt.exe
O4 - HKLM\..\Run: [Fbr] C:\WINDOWS\System32\Mij.exe
O4 - HKLM\..\Run: [Nqa] C:\WINDOWS\System32\Fdp.exe
O4 - HKLM\..\Run: [Vim] C:\WINDOWS\Rff.exe
O4 - HKLM\..\Run: [Vvj] C:\WINDOWS\System32\Flu.exe
O4 - HKLM\..\Run: [Phn] C:\WINDOWS\Ajs.exe
O4 - HKLM\..\Run: [Scc] C:\WINDOWS\System32\Snt.exe
O4 - HKLM\..\Run: [Edj] C:\WINDOWS\Bra.exe
O4 - HKLM\..\Run: [Tdn] C:\WINDOWS\System32\Aeo.exe
O4 - HKLM\..\Run: [Fdv] C:\WINDOWS\Ths.exe
O4 - HKLM\..\Run: [Jcr] C:\WINDOWS\System32\Bgn.exe
O4 - HKLM\..\Run: [Ogh] C:\WINDOWS\System32\Kiv.exe
O4 - HKLM\..\Run: [Elq] C:\WINDOWS\System32\Cmi.exe
O4 - HKLM\..\Run: [Fgs] C:\WINDOWS\System32\Urp.exe
O4 - HKLM\..\Run: [Phm] C:\WINDOWS\Omq.exe
O4 - HKLM\..\Run: [Dfp] C:\WINDOWS\Ntn.exe
O4 - HKLM\..\Run: [Ilc] C:\WINDOWS\Thr.exe
O4 - HKLM\..\Run: [Uop] C:\WINDOWS\Mbc.exe
O4 - HKLM\..\Run: [Cvk] C:\WINDOWS\System32\Uil.exe
O4 - HKLM\..\Run: [Tsc] C:\WINDOWS\Ltl.exe
O4 - HKLM\..\Run: [Ubb] C:\WINDOWS\Ijm.exe
O4 - HKLM\..\Run: [Pvh] C:\WINDOWS\Qbq.exe
O4 - HKLM\..\Run: [Atm] C:\WINDOWS\Khb.exe
O4 - HKLM\..\Run: [Prj] C:\WINDOWS\Hkp.exe
O4 - HKLM\..\Run: [Bhu] C:\WINDOWS\Dem.exe
O4 - HKLM\..\Run: [Crr] C:\WINDOWS\System32\Mgr.exe
O4 - HKLM\..\Run: [Cgl] C:\WINDOWS\System32\Amg.exe
O4 - HKLM\..\Run: [Rpj] C:\WINDOWS\Srq.exe
O4 - HKLM\..\Run: [Ejs] C:\WINDOWS\System32\Hrt.exe
O4 - HKLM\..\Run: [Fad] C:\WINDOWS\Orl.exe
O4 - HKLM\..\Run: [Gtm] C:\WINDOWS\Jrs.exe
O4 - HKLM\..\Run: [Tne] C:\WINDOWS\Vdc.exe
O4 - HKLM\..\Run: [Mfp] C:\WINDOWS\Hta.exe
O4 - HKLM\..\Run: [Tpo] C:\WINDOWS\System32\Rtv.exe
O4 - HKLM\..\Run: [Nku] C:\WINDOWS\System32\Gdm.exe
O4 - HKLM\..\Run: [Elm] C:\WINDOWS\System32\Eiv.exe
O4 - HKLM\..\Run: [Hnl] C:\WINDOWS\System32\Mfr.exe
O4 - HKLM\..\Run: [Uin] C:\WINDOWS\Ggi.exe
O4 - HKLM\..\Run: [Mkk] C:\WINDOWS\Agu.exe
O4 - HKLM\..\Run: [Tua] C:\WINDOWS\System32\Jnk.exe
O4 - HKLM\..\Run: [Kis] C:\WINDOWS\Qdk.exe
O4 - HKLM\..\Run: [Sru] C:\WINDOWS\Ggj.exe
O4 - HKLM\..\Run: [Dka] C:\WINDOWS\Des.exe
O4 - HKLM\..\Run: [Ccn] C:\WINDOWS\Qbp.exe
O4 - HKLM\..\Run: [Huq] C:\WINDOWS\System32\Hcl.exe
O4 - HKLM\..\Run: [Ott] C:\WINDOWS\Rdg.exe
O4 - HKLM\..\Run: [Peu] C:\WINDOWS\System32\Gdl.exe
O4 - HKLM\..\Run: [Hej] C:\WINDOWS\Prj.exe
O4 - HKLM\..\Run: [Rsa] C:\WINDOWS\Tac.exe
O4 - HKLM\..\Run: [Hic] C:\WINDOWS\System32\Ujo.exe
O4 - HKLM\..\Run: [Hma] C:\WINDOWS\System32\Upl.exe
O4 - HKLM\..\Run: [Udf] C:\WINDOWS\System32\Ppm.exe
O4 - HKLM\..\Run: [Ess] C:\WINDOWS\System32\Kvq.exe
O4 - HKLM\..\Run: [Dvq] C:\WINDOWS\System32\Idi.exe
O4 - HKLM\..\Run: [Mvj] C:\WINDOWS\System32\Vqc.exe
O4 - HKLM\..\Run: [Pof] C:\WINDOWS\System32\Jks.exe
O4 - HKLM\..\Run: [Lqi] C:\WINDOWS\Acg.exe
O4 - HKLM\..\Run: [Feu] C:\WINDOWS\Eik.exe
O4 - HKLM\..\Run: [Tmt] C:\WINDOWS\System32\Jen.exe
O4 - HKLM\..\Run: [Irs] C:\WINDOWS\Icu.exe
O4 - HKLM\..\Run: [Dsp] C:\WINDOWS\System32\Ecc.exe
O4 - HKLM\..\Run: [Lai] C:\WINDOWS\System32\Lnl.exe
O4 - HKLM\..\Run: [Dvu] C:\WINDOWS\System32\Fbk.exe
O4 - HKLM\..\Run: [Idc] C:\WINDOWS\System32\Kuo.exe
O4 - HKLM\..\Run: [All] C:\WINDOWS\System32\Lod.exe
O4 - HKLM\..\Run: [Ict] C:\WINDOWS\System32\Hrv.exe
O4 - HKLM\..\Run: [Ofp] C:\WINDOWS\Cqj.exe
O4 - HKLM\..\Run: [Gsq] C:\WINDOWS\System32\Erm.exe
O4 - HKLM\..\Run: [Kqj] C:\WINDOWS\System32\Fmt.exe
O4 - HKLM\..\Run: [Mrt] C:\WINDOWS\System32\Nmo.exe
O4 - HKLM\..\Run: [Iql] C:\WINDOWS\System32\Skl.exe
O4 - HKLM\..\Run: [Jae] C:\WINDOWS\System32\Cpq.exe
O4 - HKLM\..\Run: [Knt] C:\WINDOWS\Fjf.exe
O4 - HKLM\..\Run: [Ufa] C:\WINDOWS\Rbm.exe
O4 - HKLM\..\Run: [Frp] C:\WINDOWS\System32\Hbi.exe
O4 - HKLM\..\Run: [Ksv] C:\WINDOWS\System32\Kum.exe
O4 - HKLM\..\Run: [Gdp] C:\WINDOWS\Jpr.exe
O4 - HKLM\..\Run: [Klb] C:\WINDOWS\Jkd.exe
O4 - HKLM\..\Run: [Ddg] C:\WINDOWS\Bbp.exe
O4 - HKLM\..\Run: [Jck] C:\WINDOWS\Bfj.exe
O4 - HKLM\..\Run: [Idk] C:\WINDOWS\System32\Eju.exe
O4 - HKLM\..\Run: [Btr] C:\WINDOWS\Ndc.exe
O4 - HKLM\..\Run: [Rsj] C:\WINDOWS\System32\Pui.exe
O4 - HKLM\..\Run: [Mes] C:\WINDOWS\System32\Tqe.exe
O4 - HKLM\..\Run: [Sad] C:\WINDOWS\Grf.exe
O4 - HKLM\..\Run: [Kem] C:\WINDOWS\Tvq.exe
O4 - HKLM\..\Run: [Tfg] C:\WINDOWS\System32\Tji.exe
O4 - HKLM\..\Run: [Bpe] C:\WINDOWS\System32\Qna.exe
O4 - HKLM\..\Run: [Rum] C:\WINDOWS\Uoq.exe
O4 - HKLM\..\Run: [Fju] C:\WINDOWS\Poc.exe
O4 - HKLM\..\Run: [Eqn] C:\WINDOWS\Nak.exe
O4 - HKLM\..\Run: [Cla] C:\WINDOWS\Ibh.exe
O4 - HKLM\..\Run: [Igh] C:\WINDOWS\Ujq.exe
O4 - HKLM\..\Run: [Mlm] C:\WINDOWS\Aii.exe
O4 - HKLM\..\Run: [Qvk] C:\WINDOWS\Vpo.exe
O4 - HKLM\..\Run: [Ikq] C:\WINDOWS\Maf.exe
O4 - HKLM\..\Run: [Oue] C:\WINDOWS\System32\Ibg.exe
O4 - HKLM\..\Run: [Tmn] C:\WINDOWS\Hvc.exe
O4 - HKLM\..\Run: [Mic] C:\WINDOWS\Hfh.exe
O4 - HKLM\..\Run: [Mfq] C:\WINDOWS\Pfi.exe
O4 - HKLM\..\Run: [Ejh] C:\WINDOWS\System32\Mmp.exe
O4 - HKLM\..\Run: [Kdt] C:\WINDOWS\System32\Ppq.exe
O4 - HKLM\..\Run: [Mea] C:\WINDOWS\System32\Gnm.exe
O4 - HKLM\..\Run: [Ubj] C:\WINDOWS\Dpb.exe
O4 - HKLM\..\Run: [Shd] C:\WINDOWS\Rnv.exe
O4 - HKLM\..\Run: [Rhd] C:\WINDOWS\System32\Abh.exe
O4 - HKLM\..\Run: [Ckj] C:\WINDOWS\System32\Eta.exe
O4 - HKLM\..\Run: [Ein] C:\WINDOWS\System32\Qrd.exe
O4 - HKLM\..\Run: [Idq] C:\WINDOWS\System32\Hsk.exe
O4 - HKLM\..\Run: [Eil] C:\WINDOWS\Urp.exe
O4 - HKLM\..\Run: [Scj] C:\WINDOWS\Lfn.exe
O4 - HKLM\..\Run: [Lcu] C:\WINDOWS\System32\Ggv.exe
O4 - HKLM\..\Run: [Vga] C:\WINDOWS\Iia.exe
O4 - HKLM\..\Run: [Ito] C:\WINDOWS\System32\Qve.exe
O4 - HKLM\..\Run: [Reh] C:\WINDOWS\System32\Ffm.exe
O4 - HKLM\..\Run: [Fgd] C:\WINDOWS\Smo.exe
O4 - HKLM\..\Run: [Spk] C:\WINDOWS\System32\Hjh.exe
O4 - HKLM\..\Run: [Edh] C:\WINDOWS\Jok.exe
O4 - HKLM\..\Run: [Fne] C:\WINDOWS\Pqc.exe
O4 - HKLM\..\Run: [Sgr] C:\WINDOWS\Ivj.exe
O4 - HKLM\..\Run: [Vgp] C:\WINDOWS\Eog.exe
O4 - HKLM\..\Run: [Ekh] C:\WINDOWS\System32\Kng.exe
O4 - HKLM\..\Run: [Sgh] C:\WINDOWS\System32\Gog.exe
O4 - HKLM\..\Run: [Jbf] C:\WINDOWS\System32\Gul.exe
O4 - HKLM\..\Run: [Bda] C:\WINDOWS\Ljv.exe
O4 - HKLM\..\Run: [Hpq] C:\WINDOWS\System32\Hvl.exe
O4 - HKLM\..\Run: [Bue] C:\WINDOWS\Smg.exe
O4 - HKLM\..\Run: [Cgm] C:\WINDOWS\System32\Kln.exe
O4 - HKLM\..\Run: [Pbr] C:\WINDOWS\Cvf.exe
O4 - HKLM\..\Run: [Agc] C:\WINDOWS\System32\Efg.exe
O4 - HKLM\..\Run: [Kae] C:\WINDOWS\System32\Gde.exe
O4 - HKLM\..\Run: [Lhk] C:\WINDOWS\System32\Dqb.exe
O4 - HKLM\..\Run: [Hem] C:\WINDOWS\Tmc.exe
O4 - HKLM\..\Run: [Hfh] C:\WINDOWS\System32\Ffc.exe
O4 - HKLM\..\Run: [Vve] C:\WINDOWS\Kcm.exe
O4 - HKLM\..\Run: [Mfg] C:\WINDOWS\System32\Ist.exe
O4 - HKLM\..\Run: [Dsl] C:\WINDOWS\System32\Nsl.exe
O4 - HKLM\..\Run: [Mgk] C:\WINDOWS\Kio.exe
O4 - HKLM\..\Run: [Kmr] C:\WINDOWS\Tta.exe
O4 - HKLM\..\Run: [Qbe] C:\WINDOWS\System32\Ocp.exe
O4 - HKLM\..\Run: [Jec] C:\WINDOWS\System32\Ria.exe
O4 - HKLM\..\Run: [Mjs] C:\WINDOWS\System32\Acl.exe
O4 - HKLM\..\Run: [Qsh] C:\WINDOWS\System32\Phg.exe
O4 - HKLM\..\Run: [Fdf] C:\WINDOWS\System32\Thb.exe
O4 - HKLM\..\Run: [Sgg] C:\WINDOWS\Qaj.exe
O4 - HKLM\..\Run: [Kpl] C:\WINDOWS\Sfv.exe
O4 - HKLM\..\Run: [Jfd] C:\WINDOWS\Cfk.exe
O4 - HKLM\..\Run: [Hbt] C:\WINDOWS\System32\Ovf.exe
O4 - HKLM\..\Run: [Cdh] C:\WINDOWS\Oqb.exe
O4 - HKLM\..\Run: [Qap] C:\WINDOWS\Dom.exe
O4 - HKLM\..\Run: [Fgj] C:\WINDOWS\System32\Fvu.exe
O4 - HKLM\..\Run: [Vsl] C:\WINDOWS\Sme.exe
O4 - HKLM\..\Run: [Pnh] C:\WINDOWS\Hge.exe
O4 - HKLM\..\Run: [Ngr] C:\WINDOWS\System32\Vau.exe
O4 - HKLM\..\Run: [Mgd] C:\WINDOWS\Qrt.exe
O4 - HKLM\..\Run: [Cgb] C:\WINDOWS\Aki.exe
O4 - HKLM\..\Run: [Hfq] C:\WINDOWS\Lbi.exe
O4 - HKLM\..\Run: [Kqm] C:\WINDOWS\System32\Ccv.exe
O4 - HKLM\..\Run: [Fab] C:\WINDOWS\System32\Irg.exe
O4 - HKLM\..\Run: [Htt] C:\WINDOWS\System32\Vbe.exe
O4 - HKLM\..\Run: [Rqq] C:\WINDOWS\System32\Ota.exe
O4 - HKLM\..\Run: [Qec] C:\WINDOWS\System32\Hfb.exe
O4 - HKLM\..\Run: [Bal] C:\WINDOWS\System32\Kgo.exe
O4 - HKLM\..\Run: [Qlr] C:\WINDOWS\System32\Vsb.exe
O4 - HKLM\..\Run: [Uos] C:\WINDOWS\System32\Tlh.exe
O4 - HKLM\..\Run: [Oam] C:\WINDOWS\Ovv.exe
O4 - HKLM\..\Run: [Fie] C:\WINDOWS\Pqp.exe
O4 - HKLM\..\Run: [Lgl] C:\WINDOWS\Vdb.exe
O4 - HKLM\..\Run: [Kfm] C:\WINDOWS\System32\Vih.exe
O4 - HKLM\..\Run: [Aii] C:\WINDOWS\Ckh.exe
O4 - HKLM\..\Run: [Utr] C:\WINDOWS\Icl.exe
O4 - HKLM\..\Run: [Hkp] C:\WINDOWS\Tfl.exe
O4 - HKLM\..\Run: [Vgk] C:\WINDOWS\Nis.exe
O4 - HKLM\..\Run: [Bbr] C:\WINDOWS\System32\Nld.exe
O4 - HKLM\..\Run: [Occ] C:\WINDOWS\Hjs.exe
O4 - HKLM\..\Run: [Del] C:\WINDOWS\System32\Qrj.exe
O4 - HKLM\..\Run: [Rmv] C:\WINDOWS\Vfh.exe
O4 - HKLM\..\Run: [Ujn] C:\WINDOWS\System32\Cap.exe
O4 - HKLM\..\Run: [Ddo] C:\WINDOWS\Ric.exe
O4 - HKLM\..\Run: [Rgr] C:\WINDOWS\Bsv.exe
O4 - HKLM\..\Run: [Gol] C:\WINDOWS\Tsq.exe
O4 - HKLM\..\Run: [Mlk] C:\WINDOWS\Pur.exe
O4 - HKLM\..\Run: [Rho] C:\WINDOWS\Uph.exe
O4 - HKLM\..\Run: [Mjg] C:\WINDOWS\System32\Gfc.exe
O4 - HKLM\..\Run: [Rnt] C:\WINDOWS\System32\Hjr.exe
O4 - HKLM\..\Run: [Qgh] C:\WINDOWS\Alh.exe
O4 - HKLM\..\Run: [Sis] C:\WINDOWS\System32\Ilp.exe
O4 - HKLM\..\Run: [Upo] C:\WINDOWS\Utf.exe
O4 - HKLM\..\Run: [Gco] C:\WINDOWS\System32\Mjb.exe
O4 - HKLM\..\Run: [Lco] C:\WINDOWS\Lao.exe
O4 - HKLM\..\Run: [Lnu] C:\WINDOWS\System32\Sqs.exe
O4 - HKLM\..\Run: [Pcl] C:\WINDOWS\System32\Uus.exe
O4 - HKLM\..\Run: [Msd] C:\WINDOWS\System32\Qcm.exe
O4 - HKLM\..\Run: [Itd] C:\WINDOWS\System32\Lok.exe
O4 - HKLM\..\Run: [Quc] C:\WINDOWS\Qbn.exe
O4 - HKLM\..\Run: [Fdr] C:\WINDOWS\System32\Nqd.exe
O4 - HKLM\..\Run: [Cec] C:\WINDOWS\System32\Qcm.exe
O4 - HKLM\..\Run: [Jaq] C:\WINDOWS\Fao.exe
O4 - HKLM\..\Run: [Vgh] C:\WINDOWS\Gvj.exe
O4 - HKLM\..\Run: [Bdh] C:\WINDOWS\System32\Qnj.exe
O4 - HKLM\..\Run: [Ini] C:\WINDOWS\System32\Jmn.exe
O4 - HKLM\..\Run: [Rng] C:\WINDOWS\System32\Rgv.exe
O4 - HKLM\..\Run: [Nln] C:\WINDOWS\System32\Qjg.exe
O4 - HKLM\..\Run: [Pgc] C:\WINDOWS\System32\Its.exe
O4 - HKLM\..\Run: [Uhj] C:\WINDOWS\System32\Uum.exe
O4 - HKLM\..\Run: [Dke] C:\WINDOWS\System32\Etd.exe
O4 - HKLM\..\Run: [Pdg] C:\WINDOWS\System32\Iub.exe
O4 - HKLM\..\Run: [Ths] C:\WINDOWS\System32\Jdc.exe
O4 - HKLM\..\Run: [Uft] C:\WINDOWS\System32\Vju.exe
O4 - HKLM\..\Run: [Uei] C:\WINDOWS\Mgn.exe
O4 - HKLM\..\Run: [Fdm] C:\WINDOWS\Fib.exe
O4 - HKLM\..\Run: [Vvk] C:\WINDOWS\System32\Hqk.exe
O4 - HKLM\..\Run: [Abn] C:\WINDOWS\Krj.exe
O4 - HKLM\..\Run: [Npa] C:\WINDOWS\Rfm.exe
O4 - HKLM\..\Run: [Jkb] C:\WINDOWS\System32\Sah.exe
O4 - HKLM\..\Run: [Qpj] C:\WINDOWS\System32\Mbr.exe
O4 - HKLM\..\Run: [Fhn] C:\WINDOWS\Kgb.exe
O4 - HKCU\..\Run: [Aan] C:\WINDOWS\System32\Tmk.exe
O4 - HKCU\..\Run: [Eut] C:\WINDOWS\System32\Atj.exe
O4 - HKCU\..\Run: [Vhv] C:\WINDOWS\Pke.exe
O4 - HKCU\..\Run: [Hlk] C:\WINDOWS\System32\Chf.exe
O4 - HKCU\..\Run: [Irp] C:\WINDOWS\Asf.exe
O4 - HKCU\..\Run: [Ork] C:\WINDOWS\Fdd.exe
O4 - HKCU\..\Run: [Mli] C:\WINDOWS\Qkf.exe
O4 - HKCU\..\Run: [Tav] C:\WINDOWS\System32\Lbs.exe
O4 - HKCU\..\Run: [Rec] C:\WINDOWS\Rsl.exe
O4 - HKCU\..\Run: [Jeb] C:\WINDOWS\System32\Fds.exe
O4 - HKCU\..\Run: [Qjq] C:\WINDOWS\System32\Oha.exe
O4 - HKCU\..\Run: [Sag] C:\WINDOWS\Oel.exe
O4 - HKCU\..\Run: [Pnc] C:\WINDOWS\Sok.exe
O4 - HKCU\..\Run: [Jpv] C:\WINDOWS\Ilg.exe
O4 - HKCU\..\Run: [Kor] C:\WINDOWS\System32\Omg.exe
O4 - HKCU\..\Run: [Cdo] C:\WINDOWS\System32\Kmc.exe
O4 - HKCU\..\Run: [Djg] C:\WINDOWS\System32\Edi.exe
O4 - HKCU\..\Run: [Rmg] C:\WINDOWS\System32\Pns.exe
O4 - HKCU\..\Run: [Ikl] C:\WINDOWS\Rfi.exe
O4 - HKCU\..\Run: [Lhr] C:\WINDOWS\Djf.exe
O4 - HKCU\..\Run: [Tvd] C:\WINDOWS\Nub.exe
O4 - HKCU\..\Run: [Lqp] C:\WINDOWS\System32\Qmt.exe
O4 - HKCU\..\Run: [Fbr] C:\WINDOWS\System32\Mij.exe
O4 - HKCU\..\Run: [Nqa] C:\WINDOWS\System32\Fdp.exe
O4 - HKCU\..\Run: [Vim] C:\WINDOWS\Rff.exe
O4 - HKCU\..\Run: [Vvj] C:\WINDOWS\System32\Flu.exe
O4 - HKCU\..\Run: [Phn] C:\WINDOWS\Ajs.exe
O4 - HKCU\..\Run: [Scc] C:\WINDOWS\System32\Snt.exe
O4 - HKCU\..\Run: [Edj] C:\WINDOWS\Bra.exe
O4 - HKCU\..\Run: [Tdn] C:\WINDOWS\System32\Aeo.exe
O4 - HKCU\..\Run: [Fdv] C:\WINDOWS\Ths.exe
O4 - HKCU\..\Run: [Jcr] C:\WINDOWS\System32\Bgn.exe
O4 - HKCU\..\Run: [Ogh] C:\WINDOWS\System32\Kiv.exe
O4 - HKCU\..\Run: [Elq] C:\WINDOWS\System32\Cmi.exe
O4 - HKCU\..\Run: [Fgs] C:\WINDOWS\System32\Urp.exe
O4 - HKCU\..\Run: [Phm] C:\WINDOWS\Omq.exe
O4 - HKCU\..\Run: [Dfp] C:\WINDOWS\Ntn.exe
O4 - HKCU\..\Run: [Ilc] C:\WINDOWS\Thr.exe
O4 - HKCU\..\Run: [Uop] C:\WINDOWS\Mbc.exe
O4 - HKCU\..\Run: [Cvk] C:\WINDOWS\System32\Uil.exe
O4 - HKCU\..\Run: [Tsc] C:\WINDOWS\Ltl.exe
O4 - HKCU\..\Run: [Ubb] C:\WINDOWS\Ijm.exe
O4 - HKCU\..\Run: [Pvh] C:\WINDOWS\Qbq.exe
O4 - HKCU\..\Run: [Atm] C:\WINDOWS\Khb.exe
O4 - HKCU\..\Run: [Prj] C:\WINDOWS\Hkp.exe
O4 - HKCU\..\Run: [Bhu] C:\WINDOWS\Dem.exe
O4 - HKCU\..\Run: [Crr] C:\WINDOWS\System32\Mgr.exe
O4 - HKCU\..\Run: [Cgl] C:\WINDOWS\System32\Amg.exe
O4 - HKCU\..\Run: [Rpj] C:\WINDOWS\Srq.exe
O4 - HKCU\..\Run: [Ejs] C:\WINDOWS\System32\Hrt.exe
O4 - HKCU\..\Run: [Fad] C:\WINDOWS\Orl.exe
O4 - HKCU\..\Run: [Gtm] C:\WINDOWS\Jrs.exe
O4 - HKCU\..\Run: [Tne] C:\WINDOWS\Vdc.exe
O4 - HKCU\..\Run: [Mfp] C:\WINDOWS\Hta.exe
O4 - HKCU\..\Run: [Tpo] C:\WINDOWS\System32\Rtv.exe
O4 - HKCU\..\Run: [Nku] C:\WINDOWS\System32\Gdm.exe
O4 - HKCU\..\Run: [Elm] C:\WINDOWS\System32\Eiv.exe
O4 - HKCU\..\Run: [Hnl] C:\WINDOWS\System32\Mfr.exe
O4 - HKCU\..\Run: [Uin] C:\WINDOWS\Ggi.exe
O4 - HKCU\..\Run: [Mkk] C:\WINDOWS\Agu.exe
O4 - HKCU\..\Run: [Tua] C:\WINDOWS\System32\Jnk.exe
O4 - HKCU\..\Run: [Kis] C:\WINDOWS\Qdk.exe
O4 - HKCU\..\Run: [Sru] C:\WINDOWS\Ggj.exe
O4 - HKCU\..\Run: [Dka] C:\WINDOWS\Des.exe
O4 - HKCU\..\Run: [Ccn] C:\WINDOWS\Qbp.exe
O4 - HKCU\..\Run: [Huq] C:\WINDOWS\System32\Hcl.exe
O4 - HKCU\..\Run: [Ott] C:\WINDOWS\Rdg.exe
O4 - HKCU\..\Run: [Peu] C:\WINDOWS\System32\Gdl.exe
O4 - HKCU\..\Run: [Hej] C:\WINDOWS\Prj.exe
O4 - HKCU\..\Run: [Rsa] C:\WINDOWS\Tac.exe
O4 - HKCU\..\Run: [Hic] C:\WINDOWS\System32\Ujo.exe
O4 - HKCU\..\Run: [Hma] C:\WINDOWS\System32\Upl.exe
O4 - HKCU\..\Run: [Udf] C:\WINDOWS\System32\Ppm.exe
O4 - HKCU\..\Run: [Ess] C:\WINDOWS\System32\Kvq.exe
O4 - HKCU\..\Run: [Dvq] C:\WINDOWS\System32\Idi.exe
O4 - HKCU\..\Run: [Mvj] C:\WINDOWS\System32\Vqc.exe
O4 - HKCU\..\Run: [Pof] C:\WINDOWS\System32\Jks.exe
O4 - HKCU\..\Run: [Lqi] C:\WINDOWS\Acg.exe
O4 - HKCU\..\Run: [Feu] C:\WINDOWS\Eik.exe
O4 - HKCU\..\Run: [Tmt] C:\WINDOWS\System32\Jen.exe
O4 - HKCU\..\Run: [Irs] C:\WINDOWS\Icu.exe
O4 - HKCU\..\Run: [Dsp] C:\WINDOWS\System32\Ecc.exe
O4 - HKCU\..\Run: [Lai] C:\WINDOWS\System32\Lnl.exe
O4 - HKCU\..\Run: [Dvu] C:\WINDOWS\System32\Fbk.exe
O4 - HKCU\..\Run: [Idc] C:\WINDOWS\System32\Kuo.exe
O4 - HKCU\..\Run: [All] C:\WINDOWS\System32\Lod.exe
O4 - HKCU\..\Run: [Ict] C:\WINDOWS\System32\Hrv.exe
O4 - HKCU\..\Run: [Ofp] C:\WINDOWS\Cqj.exe
O4 - HKCU\..\Run: [Gsq] C:\WINDOWS\System32\Erm.exe
O4 - HKCU\..\Run: [Kqj] C:\WINDOWS\System32\Fmt.exe
O4 - HKCU\..\Run: [Mrt] C:\WINDOWS\System32\Nmo.exe
O4 - HKCU\..\Run: [Iql] C:\WINDOWS\System32\Skl.exe
O4 - HKCU\..\Run: [Jae] C:\WINDOWS\System32\Cpq.exe
O4 - HKCU\..\Run: [Knt] C:\WINDOWS\Fjf.exe
O4 - HKCU\..\Run: [Ufa] C:\WINDOWS\Rbm.exe
O4 - HKCU\..\Run: [Frp] C:\WINDOWS\System32\Hbi.exe
O4 - HKCU\..\Run: [Ksv] C:\WINDOWS\System32\Kum.exe
O4 - HKCU\..\Run: [Gdp] C:\WINDOWS\Jpr.exe
O4 - HKCU\..\Run: [Klb] C:\WINDOWS\Jkd.exe
O4 - HKCU\..\Run: [Ddg] C:\WINDOWS\Bbp.exe
O4 - HKCU\..\Run: [Jck] C:\WINDOWS\Bfj.exe
O4 - HKCU\..\Run: [Idk] C:\WINDOWS\System32\Eju.exe
O4 - HKCU\..\Run: [Btr] C:\WINDOWS\Ndc.exe
O4 - HKCU\..\Run: [Rsj] C:\WINDOWS\System32\Pui.exe
O4 - HKCU\..\Run: [Mes] C:\WINDOWS\System32\Tqe.exe
O4 - HKCU\..\Run: [Sad] C:\WINDOWS\Grf.exe
O4 - HKCU\..\Run: [Kem] C:\WINDOWS\Tvq.exe
O4 - HKCU\..\Run: [Tfg] C:\WINDOWS\System32\Tji.exe
O4 - HKCU\..\Run: [Bpe] C:\WINDOWS\System32\Qna.exe
O4 - HKCU\..\Run: [Rum] C:\WINDOWS\Uoq.exe
O4 - HKCU\..\Run: [Fju] C:\WINDOWS\Poc.exe
O4 - HKCU\..\Run: [Eqn] C:\WINDOWS\Nak.exe
O4 - HKCU\..\Run: [Cla] C:\WINDOWS\Ibh.exe
O4 - HKCU\..\Run: [Igh] C:\WINDOWS\Ujq.exe
O4 - HKCU\..\Run: [Mlm] C:\WINDOWS\Aii.exe
O4 - HKCU\..\Run: [Qvk] C:\WINDOWS\Vpo.exe
O4 - HKCU\..\Run: [Ikq] C:\WINDOWS\Maf.exe
O4 - HKCU\..\Run: [Oue] C:\WINDOWS\System32\Ibg.exe
O4 - HKCU\..\Run: [Tmn] C:\WINDOWS\Hvc.exe
O4 - HKCU\..\Run: [Mic] C:\WINDOWS\Hfh.exe
O4 - HKCU\..\Run: [Mfq] C:\WINDOWS\Pfi.exe
O4 - HKCU\..\Run: [Ejh] C:\WINDOWS\System32\Mmp.exe
O4 - HKCU\..\Run: [Kdt] C:\WINDOWS\System32\Ppq.exe
O4 - HKCU\..\Run: [Mea] C:\WINDOWS\System32\Gnm.exe
O4 - HKCU\..\Run: [Ubj] C:\WINDOWS\Dpb.exe
O4 - HKCU\..\Run: [Shd] C:\WINDOWS\Rnv.exe
O4 - HKCU\..\Run: [Rhd] C:\WINDOWS\System32\Abh.exe
O4 - HKCU\..\Run: [Ckj] C:\WINDOWS\System32\Eta.exe
O4 - HKCU\..\Run: [Ein] C:\WINDOWS\System32\Qrd.exe
O4 - HKCU\..\Run: [Idq] C:\WINDOWS\System32\Hsk.exe
O4 - HKCU\..\Run: [Eil] C:\WINDOWS\Urp.exe
O4 - HKCU\..\Run: [Scj] C:\WINDOWS\Lfn.exe
O4 - HKCU\..\Run: [Lcu] C:\WINDOWS\System32\Ggv.exe
O4 - HKCU\..\Run: [Vga] C:\WINDOWS\Iia.exe
O4 - HKCU\..\Run: [Ito] C:\WINDOWS\System32\Qve.exe
O4 - HKCU\..\Run: [Reh] C:\WINDOWS\System32\Ffm.exe
O4 - HKCU\..\Run: [Fgd] C:\WINDOWS\Smo.exe
O4 - HKCU\..\Run: [Spk] C:\WINDOWS\System32\Hjh.exe
O4 - HKCU\..\Run: [Edh] C:\WINDOWS\Jok.exe
O4 - HKCU\..\Run: [Fne] C:\WINDOWS\Pqc.exe
O4 - HKCU\..\Run: [Sgr] C:\WINDOWS\Ivj.exe
O4 - HKCU\..\Run: [Vgp] C:\WINDOWS\Eog.exe
O4 - HKCU\..\Run: [Ekh] C:\WINDOWS\System32\Kng.exe
O4 - HKCU\..\Run: [Sgh] C:\WINDOWS\System32\Gog.exe
O4 - HKCU\..\Run: [Jbf] C:\WINDOWS\System32\Gul.exe
O4 - HKCU\..\Run: [Bda] C:\WINDOWS\Ljv.exe
O4 - HKCU\..\Run: [Hpq] C:\WINDOWS\System32\Hvl.exe
O4 - HKCU\..\Run: [Bue] C:\WINDOWS\Smg.exe
O4 - HKCU\..\Run: [Cgm] C:\WINDOWS\System32\Kln.exe
O4 - HKCU\..\Run: [Pbr] C:\WINDOWS\Cvf.exe
O4 - HKCU\..\Run: [Agc] C:\WINDOWS\System32\Efg.exe
O4 - HKCU\..\Run: [Kae] C:\WINDOWS\System32\Gde.exe
O4 - HKCU\..\Run: [Lhk] C:\WINDOWS\System32\Dqb.exe
O4 - HKCU\..\Run: [Hem] C:\WINDOWS\Tmc.exe
O4 - HKCU\..\Run: [Hfh] C:\WINDOWS\System32\Ffc.exe
O4 - HKCU\..\Run: [Vve] C:\WINDOWS\Kcm.exe
O4 - HKCU\..\Run: [Mfg] C:\WINDOWS\System32\Ist.exe
O4 - HKCU\..\Run: [Dsl] C:\WINDOWS\System32\Nsl.exe
O4 - HKCU\..\Run: [Mgk] C:\WINDOWS\Kio.exe
O4 - HKCU\..\Run: [Kmr] C:\WINDOWS\Tta.exe
O4 - HKCU\..\Run: [Qbe] C:\WINDOWS\System32\Ocp.exe
O4 - HKCU\..\Run: [Jec] C:\WINDOWS\System32\Ria.exe
O4 - HKCU\..\Run: [Mjs] C:\WINDOWS\System32\Acl.exe
O4 - HKCU\..\Run: [Qsh] C:\WINDOWS\System32\Phg.exe
O4 - HKCU\..\Run: [Fdf] C:\WINDOWS\System32\Thb.exe
O4 - HKCU\..\Run: [Sgg] C:\WINDOWS\Qaj.exe
O4 - HKCU\..\Run: [Kpl] C:\WINDOWS\Sfv.exe
O4 - HKCU\..\Run: [Jfd] C:\WINDOWS\Cfk.exe
O4 - HKCU\..\Run: [Hbt] C:\WINDOWS\System32\Ovf.exe
O4 - HKCU\..\Run: [Cdh] C:\WINDOWS\Oqb.exe
O4 - HKCU\..\Run: [Qap] C:\WINDOWS\Dom.exe
O4 - HKCU\..\Run: [Fgj] C:\WINDOWS\System32\Fvu.exe
O4 - HKCU\..\Run: [Vsl] C:\WINDOWS\Sme.exe
O4 - HKCU\..\Run: [Pnh] C:\WINDOWS\Hge.exe
O4 - HKCU\..\Run: [Ngr] C:\WINDOWS\System32\Vau.exe
O4 - HKCU\..\Run: [Mgd] C:\WINDOWS\Qrt.exe
O4 - HKCU\..\Run: [Cgb] C:\WINDOWS\Aki.exe
O4 - HKCU\..\Run: [Hfq] C:\WINDOWS\Lbi.exe
O4 - HKCU\..\Run: [Kqm] C:\WINDOWS\System32\Ccv.exe
O4 - HKCU\..\Run: [Fab] C:\WINDOWS\System32\Irg.exe
O4 - HKCU\..\Run: [Htt] C:\WINDOWS\System32\Vbe.exe
O4 - HKCU\..\Run: [Rqq] C:\WINDOWS\System32\Ota.exe
O4 - HKCU\..\Run: [Qec] C:\WINDOWS\System32\Hfb.exe
O4 - HKCU\..\Run: [Bal] C:\WINDOWS\System32\Kgo.exe
O4 - HKCU\..\Run: [Qlr] C:\WINDOWS\System32\Vsb.exe
O4 - HKCU\..\Run: [Uos] C:\WINDOWS\System32\Tlh.exe
O4 - HKCU\..\Run: [Oam] C:\WINDOWS\Ovv.exe
O4 - HKCU\..\Run: [Fie] C:\WINDOWS\Pqp.exe
O4 - HKCU\..\Run: [Lgl] C:\WINDOWS\Vdb.exe
O4 - HKCU\..\Run: [Kfm] C:\WINDOWS\System32\Vih.exe
O4 - HKCU\..\Run: [Aii] C:\WINDOWS\Ckh.exe
O4 - HKCU\..\Run: [Utr] C:\WINDOWS\Icl.exe
O4 - HKCU\..\Run: [Hkp] C:\WINDOWS\Tfl.exe
O4 - HKCU\..\Run: [Vgk] C:\WINDOWS\Nis.exe
O4 - HKCU\..\Run: [Bbr] C:\WINDOWS\System32\Nld.exe
O4 - HKCU\..\Run: [Occ] C:\WINDOWS\Hjs.exe
O4 - HKCU\..\Run: [Del] C:\WINDOWS\System32\Qrj.exe
O4 - HKCU\..\Run: [Rmv] C:\WINDOWS\Vfh.exe
O4 - HKCU\..\Run: [Ujn] C:\WINDOWS\System32\Cap.exe
O4 - HKCU\..\Run: [Ddo] C:\WINDOWS\Ric.exe
O4 - HKCU\..\Run: [Rgr] C:\WINDOWS\Bsv.exe
O4 - HKCU\..\Run: [Gol] C:\WINDOWS\Tsq.exe
O4 - HKCU\..\Run: [Mlk] C:\WINDOWS\Pur.exe
O4 - HKCU\..\Run: [Rho] C:\WINDOWS\Uph.exe
O4 - HKCU\..\Run: [Mjg] C:\WINDOWS\System32\Gfc.exe
O4 - HKCU\..\Run: [Rnt] C:\WINDOWS\System32\Hjr.exe
O4 - HKCU\..\Run: [Qgh] C:\WINDOWS\Alh.exe
O4 - HKCU\..\Run: [Sis] C:\WINDOWS\System32\Ilp.exe
O4 - HKCU\..\Run: [Upo] C:\WINDOWS\Utf.exe
O4 - HKCU\..\Run: [Gco] C:\WINDOWS\System32\Mjb.exe
O4 - HKCU\..\Run: [Lco] C:\WINDOWS\Lao.exe
O4 - HKCU\..\Run: [Lnu] C:\WINDOWS\System32\Sqs.exe
O4 - HKCU\..\Run: [Pcl] C:\WINDOWS\System32\Uus.exe
O4 - HKCU\..\Run: [Msd] C:\WINDOWS\System32\Qcm.exe
O4 - HKCU\..\Run: [Itd] C:\WINDOWS\System32\Lok.exe
O4 - HKCU\..\Run: [Quc] C:\WINDOWS\Qbn.exe
O4 - HKCU\..\Run: [Fdr] C:\WINDOWS\System32\Nqd.exe
O4 - HKCU\..\Run: [Cec] C:\WINDOWS\System32\Qcm.exe
O4 - HKCU\..\Run: [Jaq] C:\WINDOWS\Fao.exe
O4 - HKCU\..\Run: [Vgh] C:\WINDOWS\Gvj.exe
O4 - HKCU\..\Run: [Bdh] C:\WINDOWS\System32\Qnj.exe
O4 - HKCU\..\Run: [Ini] C:\WINDOWS\System32\Jmn.exe
O4 - HKCU\..\Run: [Rng] C:\WINDOWS\System32\Rgv.exe
O4 - HKCU\..\Run: [Nln] C:\WINDOWS\System32\Qjg.exe
O4 - HKCU\..\Run: [Pgc] C:\WINDOWS\System32\Its.exe
O4 - HKCU\..\Run: [Uhj] C:\WINDOWS\System32\Uum.exe
O4 - HKCU\..\Run: [Dke] C:\WINDOWS\System32\Etd.exe
O4 - HKCU\..\Run: [Pdg] C:\WINDOWS\System32\Iub.exe
O4 - HKCU\..\Run: [Ths] C:\WINDOWS\System32\Jdc.exe
O4 - HKCU\..\Run: [Uft] C:\WINDOWS\System32\Vju.exe
O4 - HKCU\..\Run: [Uei] C:\WINDOWS\Mgn.exe
O4 - HKCU\..\Run: [Fdm] C:\WINDOWS\Fib.exe
O4 - HKCU\..\Run: [Vvk] C:\WINDOWS\System32\Hqk.exe
O4 - HKCU\..\Run: [Abn] C:\WINDOWS\Krj.exe
O4 - HKCU\..\Run: [Npa] C:\WINDOWS\Rfm.exe
O4 - HKCU\..\Run: [Jkb] C:\WINDOWS\System32\Sah.exe
O4 - HKCU\..\Run: [Qpj] C:\WINDOWS\System32\Mbr.exe
O4 - HKCU\..\Run: [Fhn] C:\WINDOWS\Kgb.exe

When finished, post the contents of Spywad.txt and a new Hijackthis log. There will be more to fix with HJT and more to do as well but this is a first step.
__________________
Microsoft MVP - Consumer Security
cwelaw's Avatar
cwelaw cwelaw is offline
Member with 67 posts.
THREAD STARTER
 
Join Date: Jul 2004
Experience: Beginner
23-Apr-2005, 09:02 PM #3
Thanks, will do the above and get back to you. This is on my son's Matt's machine.
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 95,175 posts.
 
Join Date: Aug 2003
23-Apr-2005, 09:27 PM #4
No problem.
cwelaw's Avatar
cwelaw cwelaw is offline
Member with 67 posts.
THREAD STARTER
 
Join Date: Jul 2004
Experience: Beginner
23-Apr-2005, 09:27 PM #5
Cookie, I did the Spywad but did not get a Spywad.txt log file, just the System and Windows folders. Also, it did not kill Explorer, restart it or run Hijack this automatically. What should I do next?
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 95,175 posts.
 
Join Date: Aug 2003
23-Apr-2005, 09:28 PM #6
Continue with the rest of the instructions and then post another Hijack This log.
cwelaw's Avatar
cwelaw cwelaw is offline
Member with 67 posts.
THREAD STARTER
 
Join Date: Jul 2004
Experience: Beginner
23-Apr-2005, 09:53 PM #7
OK, Thanks
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 95,175 posts.
 
Join Date: Aug 2003
23-Apr-2005, 09:55 PM #8
cwelaw's Avatar
cwelaw cwelaw is offline
Member with 67 posts.
THREAD STARTER
 
Join Date: Jul 2004
Experience: Beginner
23-Apr-2005, 10:30 PM #9
new hjt log
here is the new hjt log. I can't copy what was in the systems and windows folder from spywad:

Logfile of HijackThis v1.99.0
Scan saved at 7:23:49 PM, on 4/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\open32.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6C07C118-09D3-4869-83B6-FC05F6759A88} - C:\WINDOWS\System32\inni.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ikvl895] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [ikvl8@]"C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [K04W
}z[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [K0@]"iC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [K0]"igC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [K0@]"K0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [ynmjetkd] C:\WINDOWS\ynmjetkd.exe
O4 - HKLM\..\Run: [ikvl8]"igC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [K04W
}zigC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Suf] C:\WINDOWS\System32\Bkf.exe
O4 - HKLM\..\Run: [Lil] C:\WINDOWS\System32\Ecv.exe
O4 - HKLM\..\Run: [Kcv] C:\WINDOWS\System32\Eth.exe
O4 - HKLM\..\Run: [Ccr] C:\WINDOWS\System32\Hcm.exe
O4 - HKLM\..\Run: [Kfd] C:\WINDOWS\Lvq.exe
O4 - HKLM\..\Run: [Lcf] C:\WINDOWS\System32\Bus.exe
O4 - HKLM\..\Run: [Roa] C:\WINDOWS\System32\Hoj.exe
O4 - HKLM\..\Run: [Osh] C:\WINDOWS\System32\Tng.exe
O4 - HKLM\..\Run: [Guc] C:\WINDOWS\Udi.exe
O4 - HKLM\..\Run: [Ibg] C:\WINDOWS\System32\Qaa.exe
O4 - HKLM\..\Run: [Svr] C:\WINDOWS\Ibn.exe
O4 - HKLM\..\Run: [Bvp] C:\WINDOWS\System32\Mph.exe
O4 - HKLM\..\Run: [Rcg] C:\WINDOWS\Mkn.exe
O4 - HKLM\..\Run: [Gql] C:\WINDOWS\System32\Oot.exe
O4 - HKLM\..\Run: [Pra] C:\WINDOWS\Dhl.exe
O4 - HKLM\..\Run: [Shell] open32.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Suf] C:\WINDOWS\System32\Bkf.exe
O4 - HKCU\..\Run: [Lil] C:\WINDOWS\System32\Ecv.exe
O4 - HKCU\..\Run: [Kcv] C:\WINDOWS\System32\Eth.exe
O4 - HKCU\..\Run: [Ccr] C:\WINDOWS\System32\Hcm.exe
O4 - HKCU\..\Run: [Kfd] C:\WINDOWS\Lvq.exe
O4 - HKCU\..\Run: [Lcf] C:\WINDOWS\System32\Bus.exe
O4 - HKCU\..\Run: [Roa] C:\WINDOWS\System32\Hoj.exe
O4 - HKCU\..\Run: [Osh] C:\WINDOWS\System32\Tng.exe
O4 - HKCU\..\Run: [Guc] C:\WINDOWS\Udi.exe
O4 - HKCU\..\Run: [Ibg] C:\WINDOWS\System32\Qaa.exe
O4 - HKCU\..\Run: [Svr] C:\WINDOWS\Ibn.exe
O4 - HKCU\..\Run: [Bvp] C:\WINDOWS\System32\Mph.exe
O4 - HKCU\..\Run: [Rcg] C:\WINDOWS\Mkn.exe
O4 - HKCU\..\Run: [Gql] C:\WINDOWS\System32\Oot.exe
O4 - HKCU\..\Run: [Pra] C:\WINDOWS\Dhl.exe
O4 - Startup: winupdate67070701[1].exe
O4 - Startup: winupdate67898385[1].exe
O4 - Startup: winupdate81090145[1].exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 64.62.171.156
O15 - Trusted IP range: (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab30149.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary...s.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/62.../bridge-c8.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab30149.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 95,175 posts.
 
Join Date: Aug 2003
24-Apr-2005, 10:38 AM #10
Run this uninstaller:

http://sarc.com/avcenter/venc/data/adware.istbar.html

Go to Control Panel - Add/Remove programs and remove the following, if there:

Viewpoint
AWS (WeatherBug
WildTangent
Media Access


Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click fix checked.

O2 - BHO: (no name) - {6C07C118-09D3-4869-83B6-FC05F6759A88} - C:\WINDOWS\System32\inni.dll (file missing)

O4 - HKLM\..\Run: [ikvl8@]" C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe

O4 - HKLM\..\Run: [K04W
}z [ 8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe

O4 - HKLM\..\Run: [K0@]" iC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe

O4 - HKLM\..\Run: [K0]" igC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe

O4 - HKLM\..\Run: [K0@]" K0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe

O4 - HKLM\..\Run: [ynmjetkd] C:\WINDOWS\ynmjetkd.exe

O4 - HKLM\..\Run: [ikvl8]" igC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [K04W
}z igC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\mjgpd.exe

O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [Suf] C:\WINDOWS\System32\Bkf.exe

O4 - HKLM\..\Run: [Lil] C:\WINDOWS\System32\Ecv.exe

O4 - HKLM\..\Run: [Kcv] C:\WINDOWS\System32\Eth.exe

O4 - HKLM\..\Run: [Ccr] C:\WINDOWS\System32\Hcm.exe

O4 - HKLM\..\Run: [Kfd] C:\WINDOWS\Lvq.exe

O4 - HKLM\..\Run: [Lcf] C:\WINDOWS\System32\Bus.exe

O4 - HKLM\..\Run: [Roa] C:\WINDOWS\System32\Hoj.exe

O4 - HKLM\..\Run: [Osh] C:\WINDOWS\System32\Tng.exe

O4 - HKLM\..\Run: [Guc] C:\WINDOWS\Udi.exe

O4 - HKLM\..\Run: [Ibg] C:\WINDOWS\System32\Qaa.exe

O4 - HKLM\..\Run: [Svr] C:\WINDOWS\Ibn.exe

O4 - HKLM\..\Run: [Bvp] C:\WINDOWS\System32\Mph.exe

O4 - HKLM\..\Run: [Rcg] C:\WINDOWS\Mkn.exe

O4 - HKLM\..\Run: [Gql] C:\WINDOWS\System32\Oot.exe

O4 - HKLM\..\Run: [Pra] C:\WINDOWS\Dhl.exe

O4 - HKLM\..\Run: [Shell] open32.exe

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKCU\..\Run: [Suf] C:\WINDOWS\System32\Bkf.exe

O4 - HKCU\..\Run: [Lil] C:\WINDOWS\System32\Ecv.exe

O4 - HKCU\..\Run: [Kcv] C:\WINDOWS\System32\Eth.exe

O4 - HKCU\..\Run: [Ccr] C:\WINDOWS\System32\Hcm.exe

O4 - HKCU\..\Run: [Kfd] C:\WINDOWS\Lvq.exe

O4 - HKCU\..\Run: [Lcf] C:\WINDOWS\System32\Bus.exe

O4 - HKCU\..\Run: [Roa] C:\WINDOWS\System32\Hoj.exe

O4 - HKCU\..\Run: [Osh] C:\WINDOWS\System32\Tng.exe

O4 - HKCU\..\Run: [Guc] C:\WINDOWS\Udi.exe

O4 - HKCU\..\Run: [Ibg] C:\WINDOWS\System32\Qaa.exe

O4 - HKCU\..\Run: [Svr] C:\WINDOWS\Ibn.exe

O4 - HKCU\..\Run: [Bvp] C:\WINDOWS\System32\Mph.exe

O4 - HKCU\..\Run: [Rcg] C:\WINDOWS\Mkn.exe

O4 - HKCU\..\Run: [Gql] C:\WINDOWS\System32\Oot.exe

O4 - HKCU\..\Run: [Pra] C:\WINDOWS\Dhl.exe

O4 - Startup: winupdate67070701[1].exe

O4 - Startup: winupdate67898385[1].exe

O4 - Startup: winupdate81090145[1].exe

O4 - Global Startup: Exif Launcher.lnk = ?

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 64.62.171.156
O15 - Trusted IP range: (HKLM)

OO16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6...e/bridge-c8.cab

O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx


Then boot to safe mode (see how below), locate and delete these files and/or folders:

C:\Program Files\ISTsvc - folder
C:\WINDOWS\mjgpd.exe - file
C:\Program C:\WINDOWS\ynmjetkd.exe - file
C:\Program Files\Viewpoint - folder
C:\Program Files\ISTsvc - folder
C:\Program Files\Media Access - folder
C:\Program Files\WildTangent - folder
C:\WINDOWS\System32\Bkf.exe - file
C:\WINDOWS\System32\Ecv.exe - file
C:\WINDOWS\System32\Eth.exe - file
C:\WINDOWS\System32\Hcm.exe - file
C:\WINDOWS\Lvq.exe - file
C:\WINDOWS\System32\Bus.exe - file
C:\WINDOWS\System32\Hoj.exe - file
C:\WINDOWS\System32\Tng.exe - file
C:\WINDOWS\Udi.exe - file
C:\WINDOWS\System32\Qaa.exe- file
C:\WINDOWS\Ibn.exe - file
C:\WINDOWS\System32\Mph.exe - file
C:\WINDOWS\Mkn.exe - file
C:\WINDOWS\System32\Oot.exe - file
C:\WINDOWS\Dhl.exe - file
open32.exe - file
C:\Program Files\AWS - folder
C:\WINDOWS\System32\Bkf.exe - file
C:\WINDOWS\System32\Ecv.exe - file
C:\WINDOWS\System32\Eth.exe - file
C:\WINDOWS\System32\Hcm.exe - file
C:\WINDOWS\Lvq.exe - file
C:\WINDOWS\System32\Bus.exe - file
C:\WINDOWS\System32\Hoj.exe - file
C:\WINDOWS\System32\Tng.exe - file
C:\WINDOWS\Udi.exe - file
C:\WINDOWS\System32\Qaa.exe - file
C:\WINDOWS\Ibn.exe - file
C:\WINDOWS\System32\Mph.exe - file
C:\WINDOWS\Mkn.exe - file
C:\WINDOWS\System32\Oot.exe - file
C:\WINDOWS\Dhl.exe - file
C:\PROGRA~1\AWS - folder

How to restart to safe mode:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
Click "Apply" then "OK"

Is there more than one user profile on this machine?

Reboot and post another Hijack This log please.
cwelaw's Avatar
cwelaw cwelaw is offline
Member with 67 posts.
THREAD STARTER
 
Join Date: Jul 2004
Experience: Beginner
24-Apr-2005, 12:22 PM #11
Good Morning. The Symantec uninstaller page is "temporarily unavailable." Will keep checking back to that page to run it. Can I do the rest and then do the uninstaller later?
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 95,175 posts.
 
Join Date: Aug 2003
24-Apr-2005, 12:44 PM #12
Yes, go ahead.
cwelaw's Avatar
cwelaw cwelaw is offline
Member with 67 posts.
THREAD STARTER
 
Join Date: Jul 2004
Experience: Beginner
24-Apr-2005, 02:02 PM #13
Next HJT
Still can't get on the Symantec removal tool site. Did the rest of the instructions, noting though that some of the files/folders could not be found. I did have the hidden, system and protected system files/folders shown. Thanks so far, and look forward to what's next. Couple of items I would like to mention are that after I ran Spywad, some of the problems went away, only to return later and I can't get anything to happen when I right click on the mouse. Here's the HJT

Logfile of HijackThis v1.99.1
Scan saved at 10:57:39 AM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\System32\Kci.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\User\Start Menu\Programs\Startup\winupdate67070701[1].exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\hijackthis\HijackThis program 4-23-5.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ikvl895] C:\WINDOWS\mjgpd.exe
O4 - HKLM\..\Run: [Can] C:\WINDOWS\System32\Kci.exe
O4 - HKLM\..\Run: [Gut] C:\WINDOWS\Hhi.exe
O4 - HKLM\..\Run: [Tad] C:\WINDOWS\Dkc.exe
O4 - HKLM\..\Run: [Fus] C:\WINDOWS\System32\Jdh.exe
O4 - HKLM\..\Run: [Rmo] C:\WINDOWS\Oal.exe
O4 - HKLM\..\Run: [Rpi] C:\WINDOWS\System32\Nph.exe
O4 - HKLM\..\Run: [Ilc] C:\WINDOWS\System32\Gds.exe
O4 - HKLM\..\Run: [Rta] C:\WINDOWS\System32\Ksv.exe
O4 - HKLM\..\Run: [Lmv] C:\WINDOWS\Fcs.exe
O4 - HKLM\..\Run: [Etk] C:\WINDOWS\Ham.exe
O4 - HKLM\..\Run: [Vad] C:\WINDOWS\System32\Fjn.exe
O4 - HKLM\..\Run: [Rgb] C:\WINDOWS\System32\Rha.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Can] C:\WINDOWS\System32\Kci.exe
O4 - HKCU\..\Run: [Gut] C:\WINDOWS\Hhi.exe
O4 - HKCU\..\Run: [Tad] C:\WINDOWS\Dkc.exe
O4 - HKCU\..\Run: [Fus] C:\WINDOWS\System32\Jdh.exe
O4 - HKCU\..\Run: [Rmo] C:\WINDOWS\Oal.exe
O4 - HKCU\..\Run: [Rpi] C:\WINDOWS\System32\Nph.exe
O4 - HKCU\..\Run: [Ilc] C:\WINDOWS\System32\Gds.exe
O4 - HKCU\..\Run: [Rta] C:\WINDOWS\System32\Ksv.exe
O4 - HKCU\..\Run: [Lmv] C:\WINDOWS\Fcs.exe
O4 - HKCU\..\Run: [Etk] C:\WINDOWS\Ham.exe
O4 - HKCU\..\Run: [Vad] C:\WINDOWS\System32\Fjn.exe
O4 - HKCU\..\Run: [Rgb] C:\WINDOWS\System32\Rha.exe
O4 - Startup: winupdate67070701[1].exe
O4 - Startup: winupdate67898385[1].exe
O4 - Startup: winupdate81090145[1].exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab30149.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary...s.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab30149.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 95,175 posts.
 
Join Date: Aug 2003
24-Apr-2005, 02:10 PM #14
The right click is a known problem with this infection and there is a fix for that to be done later.

First we need to clean up every user. Are there other users?
cwelaw's Avatar
cwelaw cwelaw is offline
Member with 67 posts.
THREAD STARTER
 
Join Date: Jul 2004
Experience: Beginner
24-Apr-2005, 02:16 PM #15
Sorry, no other user profiles on this machine
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑