1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

can't get rid of it!

Discussion in 'Virus & Other Malware Removal' started by godenver, Mar 20, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. godenver

    godenver Thread Starter

    Joined:
    Mar 20, 2005
    Messages:
    8
    I have a mixture of viruses, trojans, and stuff and have quite a few adds popping up. I am using Windows XP. I have tried AdAware, Spy Sweeper, Spybot but none completely got rid of my problem. I have scanned with Hijackthis and Panda and the reports are below. Please help!

    Logfile of HijackThis v1.99.0
    Scan saved at 10:10:06 PM, on 3/20/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\WINDOWS\System32\hphmon03.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\RUNDLL32.exe
    C:\windows\system32\fcznre.exe
    C:\WINDOWS\SysCheckBop32.exe
    C:\WINDOWS\ms04220442034.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\WINDOWS\System32\sysmonnt.exe
    C:\Documents and Settings\Dave Willoughby\Application Data\eetu.exe
    C:\WINDOWS\System32\??ool32.exe
    C:\windows\system32\packager.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Microsoft Works\MSWorks.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\DOCUME~1\DAVEWI~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
    O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
    O4 - HKLM\..\Run: [fcznre] c:\windows\system32\fcznre.exe
    O4 - HKLM\..\Run: [o9b9kvmc] C:\Program Files\o9b9kvmc\o9b9kvmc.exe
    O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
    O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
    O4 - HKLM\..\Run: [ms04220442034] C:\WINDOWS\ms04220442034.exe
    O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
    O4 - HKLM\..\Run: [nmbix] C:\WINDOWS\nmbix.exe
    O4 - HKLM\..\Run: [ps7f3pP] shgip32.exe
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteezf32.exe
    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
    O4 - HKCU\..\Run: [YBopRfj2j] sentil.exe
    O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Dave Willoughby\Application Data\eetu.exe
    O4 - HKCU\..\Run: [Quahnpn] C:\WINDOWS\System32\??ool32.exe
    O4 - HKCU\..\Run: [rfqq] C:\PROGRA~1\COMMON~1\rfqq\rfqqm.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

    -----------------------------------------------------------------------


    Incident Status Location

    Adware:Adware/Transponder No disinfected C:\WINDOWS\dlmax.dll
    Virus:Trj/Startpage.SJ No disinfected Operating system
    Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\msexreg.exe
    Adware:Adware/nCase No disinfected Windows Registry
    Adware:Adware/IPInsight No disinfected C:\WINDOWS\FARMMEXT.exe
    Adware:Adware/IEPlugin No disinfected C:\WINDOWS\systb.dll
    Adware:Adware/Twain-Tech No disinfected C:\DOCUME~1\DAVEWI~1\LOCALS~1\Temp\THI*.tmp
    Adware:Adware/WUpd No disinfected Windows Registry
    Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\DrTemp\mm_reco.exe
    Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.cab[farmmext.inf]
    Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.cab[farmmext.exe]
    Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.cab[farmmext.ini]
    Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.exe
    Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.inf
    Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.ini
    Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.cab[farmmext.inf]
    Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.cab[farmmext.exe]
    Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.cab[farmmext.ini]
    Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.exe
    Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.inf
    Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.ini
    Adware:Adware/TopRebates No disinfected C:\RECYCLER\S-1-5-21-2025429265-1993962763-1060284298-1004\Dc5\EbatesMoeMoneyMaker1.exe
    Adware:Adware/Transponder No disinfected C:\WINDOWS\dlmax.dll
    Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\setup4002b.ini
    Adware:Adware/IPInsight No disinfected C:\WINDOWS\farmmext.exe
    Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\dlmax.inf
    Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\farmmext.inf
    Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\Pynix.inf
    Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\systb.dll
    Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\systb.exe
    Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system\irdrirtn.exe
    Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\angelex.exe
    Adware:Adware/WinTools No disinfected C:\WINDOWS\system32\Cache\adl_ibis_AS2.exe
    Spyware:Spyware/ClearSearch No disinfected C:\WINDOWS\system32\Cache\CSv13P108.exe
    Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\Cache\installer_MARKETING17.exe
    Adware:Adware/nCase No disinfected C:\WINDOWS\system32\Cache\pop.exe
    Adware:Adware/nCase No disinfected C:\WINDOWS\system32\Cache\saie1101.exe
    Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system32\Cache\thin-8-1-x-x.exe
    Adware:Adware/AdLogix No disinfected C:\WINDOWS\system32\Cache\videoinst.exe
    Adware:Adware/TopRebates No disinfected C:\WINDOWS\system32\Cache\WebRebates_Auto_InstallSilent.exe
    Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\Cache\wrapperouter.exe
    Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\mqexdlm.srg
    Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\msexreg.exe
    Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\zeta.exe
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    Hi godenver

    Welcome to TSG! :)

    A new version of Hijack This has been released so get rid of the old one and Click here to download the new one, come back here and post the log from it.

    I see you are running Hijack This from a temp folder now. This is a bad idea because it cannot create and restore backups from there. Before you download the new version create a new folder in My Documents and name it Hijack This. Now click on the link I posted above and when the box pops up asking you to Open or Save choose Save and save it to the Hijack This folder you created. That way it can create and restore backups if needed. HJT will store the backups in the same location that it is run from.
     
  3. godenver

    godenver Thread Starter

    Joined:
    Mar 20, 2005
    Messages:
    8
    I saved the newest version of HijackThis into My Documents and ran the program. Here is the log...

    Logfile of HijackThis v1.99.1
    Scan saved at 9:31:50 PM, on 3/21/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\WINDOWS\System32\hphmon03.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\RUNDLL32.exe
    C:\windows\system32\fcznre.exe
    C:\WINDOWS\SysCheckBop32.exe
    C:\WINDOWS\ms04220442034.exe
    C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\Program Files\Common Files\Real\Update_OB\realevent.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\System32\sysmonnt.exe
    C:\Documents and Settings\Dave Willoughby\Application Data\eetu.exe
    C:\WINDOWS\System32\??ool32.exe
    C:\windows\system32\calc.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Dave Willoughby\My Documents\HijackThis\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
    O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
    O4 - HKLM\..\Run: [fcznre] c:\windows\system32\fcznre.exe
    O4 - HKLM\..\Run: [o9b9kvmc] C:\Program Files\o9b9kvmc\o9b9kvmc.exe
    O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
    O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
    O4 - HKLM\..\Run: [ms04220442034] C:\WINDOWS\ms04220442034.exe
    O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
    O4 - HKLM\..\Run: [nmbix] C:\WINDOWS\nmbix.exe
    O4 - HKLM\..\Run: [ps7f3pP] shgip32.exe
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteezf32.exe
    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
    O4 - HKCU\..\Run: [YBopRfj2j] sentil.exe
    O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Dave Willoughby\Application Data\eetu.exe
    O4 - HKCU\..\Run: [Quahnpn] C:\WINDOWS\System32\??ool32.exe
    O4 - HKCU\..\Run: [rfqq] C:\PROGRA~1\COMMON~1\rfqq\rfqqm.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (HKCU)
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    Go here and follow the directions to download and run the trial version of KAV 5 Personal with the extended database. Be sure that you take your time and be careful to follow the directions exactly as given there.

    After you have done that, post the log from the KAV scan along with a new Hijack This log.
     
  5. godenver

    godenver Thread Starter

    Joined:
    Mar 20, 2005
    Messages:
    8
    i went to the site, downloaded KAV, and installed it on my computer making sure to follow all the directions on the site. when i clicked on "scan my computer" in the KAV program, it gave me the following error message:

    An anti-virus scan cannot be performed because your anti-virus database is corrupted. Please mention detailed error code (24) when contacting Kaspersky Lab's Technical Support.

    what should i do now?
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    Redownload the updates and try again.
     
  7. godenver

    godenver Thread Starter

    Joined:
    Mar 20, 2005
    Messages:
    8
    reloaded and it worked the second time. here is the log from KAV followed by the new HijackThis log.

    Statistics:
    Task start time: 3/24/2005 2:15:52 AM
    Task completion time: 3/24/2005 4:26:35 AM
    Objects scanned: 145196
    Viruses detected: 23
    Viruses disinfected: 0
    Objects deleted: 23
    Objects quarantined: 0

    Settings:
    Objects to be scanned:
    My Computer
    If an infected object is found:
    Perform recommended action
    Scan level:
    Recommended
    Objects to be excluded from the scan scope:
    Option not used

    Report:
    C:\Dave's Files\Stuff\GAMEOFTHECENTURY.EXE is infected with a virus not-virus:Joke.Win32.JepRuss 3/24/2005 2:23:08 AM
    C:\Dave's Files\Stuff\GAMEOFTHECENTURY.EXE moved to the backup storage 3/24/2005 2:23:08 AM
    C:\Dave's Files\Stuff\GAMEOFTHECENTURY.EXE deleted 3/24/2005 2:23:09 AM
    C:\Dave's Files\Stuff\WaschingMachine.bat is infected with a virus not-virus:Joke.Win32.Train 3/24/2005 2:23:10 AM
    C:\Dave's Files\Stuff\WaschingMachine.bat moved to the backup storage 3/24/2005 2:23:10 AM
    C:\Dave's Files\Stuff\WaschingMachine.bat deleted 3/24/2005 2:23:10 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\related.htm password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc.zip\dave willoughby@atdmt[1].txt password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BargainBuddy.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BargainBuddy.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip\eZinstall.exe password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin1.zip\lu.dat password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin1.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:56 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin2.zip\systb.dll password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin2.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin3.zip\wupdt.exe password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin3.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MySearch.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MySearch.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MySearch1.zip\bar/History/search password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MySearch1.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer1.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer1.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer2.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer2.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer1.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer1.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer2.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer2.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer3.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer3.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer4.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer4.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer5.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer5.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 2:30:57 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\DrTemp\mm_reco.exe is infected with a virus not-a-virus:AdWare.BetterInternet 3/24/2005 2:32:33 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\DrTemp\mm_reco.exe moved to the backup storage 3/24/2005 2:32:34 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\DrTemp\mm_reco.exe deleted 3/24/2005 2:32:34 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI190C.tmp\MMaker4b.exe/data0004 is infected with a virus not-a-virus:AdWare.WebRebates.d 3/24/2005 2:32:37 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI190C.tmp\MMaker4b.exe moved to the backup storage 3/24/2005 2:32:37 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI190C.tmp\MMaker4b.exe deleted 3/24/2005 2:32:37 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI1C5E.tmp\MMaker4b.exe/data0004 is infected with a virus not-a-virus:AdWare.WebRebates.d 3/24/2005 2:32:38 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI1C5E.tmp\MMaker4b.exe moved to the backup storage 3/24/2005 2:32:38 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI1C5E.tmp\MMaker4b.exe deleted 3/24/2005 2:32:38 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI289F.tmp\MMaker4b.exe/data0004 is infected with a virus not-a-virus:AdWare.WebRebates.d 3/24/2005 2:32:40 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI289F.tmp\MMaker4b.exe moved to the backup storage 3/24/2005 2:32:41 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI289F.tmp\MMaker4b.exe deleted 3/24/2005 2:32:41 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI323.tmp\MMaker4b.exe/data0004 is infected with a virus not-a-virus:AdWare.WebRebates.d 3/24/2005 2:32:42 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI323.tmp\MMaker4b.exe moved to the backup storage 3/24/2005 2:32:42 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI323.tmp\MMaker4b.exe deleted 3/24/2005 2:32:42 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI33E.tmp\MMaker4b.exe/data0004 is infected with a virus not-a-virus:AdWare.WebRebates.d 3/24/2005 2:32:43 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI33E.tmp\MMaker4b.exe moved to the backup storage 3/24/2005 2:32:43 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI33E.tmp\MMaker4b.exe deleted 3/24/2005 2:32:43 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI658F.tmp\MMaker4b.exe/data0004 is infected with a virus not-a-virus:AdWare.WebRebates.d 3/24/2005 2:32:45 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI658F.tmp\MMaker4b.exe moved to the backup storage 3/24/2005 2:32:46 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI658F.tmp\MMaker4b.exe deleted 3/24/2005 2:32:46 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI7843.tmp\MMaker4b.exe/data0004 is infected with a virus not-a-virus:AdWare.WebRebates.d 3/24/2005 2:32:47 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI7843.tmp\MMaker4b.exe moved to the backup storage 3/24/2005 2:32:47 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI7843.tmp\MMaker4b.exe deleted 3/24/2005 2:32:47 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI7C3F.tmp\MMaker4b.exe/data0004 is infected with a virus not-a-virus:AdWare.WebRebates.d 3/24/2005 2:32:48 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI7C3F.tmp\MMaker4b.exe moved to the backup storage 3/24/2005 2:32:49 AM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI7C3F.tmp\MMaker4b.exe deleted 3/24/2005 2:32:49 AM
    C:\Program Files\Ebates_MoeMoneyMaker\disp350.exe is infected with a virus not-a-virus:AdWare.WebRebates.c 3/24/2005 2:43:07 AM
    C:\Program Files\Ebates_MoeMoneyMaker\disp350.exe moved to the backup storage 3/24/2005 2:43:07 AM
    C:\Program Files\Ebates_MoeMoneyMaker\disp350.exe deleted 3/24/2005 2:43:07 AM
    C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe is infected with a virus not-a-virus:AdWare.WebRebates.d 3/24/2005 2:43:08 AM
    C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe moved to the backup storage 3/24/2005 2:43:08 AM
    C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe deleted 3/24/2005 2:43:09 AM
    C:\WINDOWS\autoheal.exe/stream/data0001 is infected with a virus not-a-virus:AdWare.BargainBuddy.n 3/24/2005 3:17:31 AM
    C:\WINDOWS\autoheal.exe moved to the backup storage 3/24/2005 3:17:32 AM
    C:\WINDOWS\autoheal.exe is infected with a virus not-a-virus:AdWare.BargainBuddy.n 3/24/2005 3:17:32 AM
    C:\WINDOWS\autoheal.exe deleted 3/24/2005 3:17:32 AM
    C:\WINDOWS\system32\angelex.exe is infected with a virus not-a-virus:AdWare.BargainBuddy.n 3/24/2005 4:16:33 AM
    C:\WINDOWS\system32\angelex.exe moved to the backup storage 3/24/2005 4:16:34 AM
    C:\WINDOWS\system32\angelex.exe deleted 3/24/2005 4:16:34 AM
    C:\WINDOWS\system32\instsrv.exe is infected with a virus not-a-virus:RiskWare.Tool.ServiceRunner.f 3/24/2005 4:17:39 AM
    C:\WINDOWS\system32\instsrv.exe moved to the backup storage 3/24/2005 4:17:39 AM
    C:\WINDOWS\system32\instsrv.exe deleted 3/24/2005 4:17:39 AM
    C:\WINDOWS\system32\Cache\AMEX_54.exe/WISE0007.BIN is infected with a virus TrojanDownloader.Win32.TSUpdate.f 3/24/2005 4:20:07 AM
    C:\WINDOWS\system32\Cache\AMEX_54.exe moved to the backup storage 3/24/2005 4:20:07 AM
    C:\WINDOWS\system32\Cache\AMEX_54.exe deleted 3/24/2005 4:20:07 AM
    C:\WINDOWS\system32\Cache\Kyongju.exe/data0003 is infected with a virus not-a-virus:AdWare.PurityScan.w 3/24/2005 4:20:10 AM
    C:\WINDOWS\system32\Cache\Kyongju.exe moved to the backup storage 3/24/2005 4:20:10 AM
    C:\WINDOWS\system32\Cache\Kyongju.exe is infected with a virus not-a-virus:AdWare.PurityScan.w 3/24/2005 4:20:11 AM
    C:\WINDOWS\system32\Cache\Kyongju.exe deleted 3/24/2005 4:20:11 AM
    C:\WINDOWS\system32\Cache\saie1101.exe is infected with a virus TrojanDropper.Win32.Small.mr 3/24/2005 4:20:13 AM
    C:\WINDOWS\system32\Cache\saie1101.exe moved to the backup storage 3/24/2005 4:20:13 AM
    C:\WINDOWS\system32\Cache\saie1101.exe deleted 3/24/2005 4:20:13 AM
    C:\WINDOWS\system32\Cache\thin-8-1-x-x.exe is infected with a virus not-a-virus:AdWare.BetterInternet 3/24/2005 4:20:18 AM
    C:\WINDOWS\system32\Cache\thin-8-1-x-x.exe moved to the backup storage 3/24/2005 4:20:18 AM
    C:\WINDOWS\system32\Cache\thin-8-1-x-x.exe deleted 3/24/2005 4:20:18 AM
    C:\WINDOWS\system32\Cache\videoinst.exe is infected with a virus TrojanDownloader.Win32.Small.wj 3/24/2005 4:20:20 AM
    C:\WINDOWS\system32\Cache\videoinst.exe moved to the backup storage 3/24/2005 4:20:20 AM
    C:\WINDOWS\system32\Cache\videoinst.exe deleted 3/24/2005 4:20:20 AM
    C:\WINDOWS\system32\Cache\WebRebates_Auto_InstallSilent.exe/data0003 is infected with a virus not-a-virus:AdWare.WebRebates.d 3/24/2005 4:20:21 AM
    C:\WINDOWS\system32\Cache\WebRebates_Auto_InstallSilent.exe moved to the backup storage 3/24/2005 4:20:21 AM
    C:\WINDOWS\system32\Cache\WebRebates_Auto_InstallSilent.exe deleted 3/24/2005 4:20:22 AM
    C:\WINDOWS\system32\Cache\wrapperouter.exe/WISE0006.BIN is infected with a virus not-a-virus:AdWare.VirtualBouncer.c 3/24/2005 4:20:23 AM
    C:\WINDOWS\system32\Cache\wrapperouter.exe moved to the backup storage 3/24/2005 4:20:24 AM
    C:\WINDOWS\system32\Cache\wrapperouter.exe is infected with a virus not-a-virus:AdWare.VirtualBouncer.c 3/24/2005 4:20:24 AM
    C:\WINDOWS\system32\Cache\wrapperouter.exe deleted 3/24/2005 4:20:24 AM


    --------------------------------------------------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 7:01:14 AM, on 3/24/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
    C:\Documents and Settings\Dave Willoughby\My Documents\HijackThis\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
    O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
    O4 - HKLM\..\Run: [fcznre] c:\windows\system32\fcznre.exe
    O4 - HKLM\..\Run: [o9b9kvmc] C:\Program Files\o9b9kvmc\o9b9kvmc.exe
    O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
    O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
    O4 - HKLM\..\Run: [ms04220442034] C:\WINDOWS\ms04220442034.exe
    O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
    O4 - HKLM\..\Run: [nmbix] C:\WINDOWS\nmbix.exe
    O4 - HKLM\..\Run: [ps7f3pP] shgip32.exe
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteezf32.exe
    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
    O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
    O4 - HKCU\..\Run: [YBopRfj2j] sentil.exe
    O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Dave Willoughby\Application Data\eetu.exe
    O4 - HKCU\..\Run: [Quahnpn] C:\WINDOWS\System32\??ool32.exe
    O4 - HKCU\..\Run: [rfqq] C:\PROGRA~1\COMMON~1\rfqq\rfqqm.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    Run KAV onbe more time in safe mode then post ne logs please.
     
  9. godenver

    godenver Thread Starter

    Joined:
    Mar 20, 2005
    Messages:
    8
    Ran KAV and HijackThis again. here are the logs.

    Statistics:
    Task start time: 3/24/2005 6:10:03 PM
    Task completion time: 3/24/2005 7:31:31 PM
    Objects scanned: 141682
    Viruses detected: 28
    Viruses disinfected: 0
    Objects deleted: 28
    Objects quarantined: 0

    Settings:
    Objects to be scanned:
    My Computer
    If an infected object is found:
    Perform recommended action
    Scan level:
    Recommended
    Objects to be excluded from the scan scope:
    Option not used

    Report:
    C:\Documents and Settings\All Users\Application Data\msw\MSW.exe is infected with a virus not-a-virus:AdWare.Searcher.h 3/24/2005 6:19:12 PM
    C:\Documents and Settings\All Users\Application Data\msw\MSW.exe moved to the backup storage 3/24/2005 6:19:13 PM
    C:\Documents and Settings\All Users\Application Data\msw\MSW.exe deleted 3/24/2005 6:19:13 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\related.htm password protected, has not been processed 3/24/2005 6:19:16 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:16 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc.zip\dave willoughby@atdmt[1].txt password protected, has not been processed 3/24/2005 6:19:16 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:16 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BargainBuddy.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:16 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BargainBuddy.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:16 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:16 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:16 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:16 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:16 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:16 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:16 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:16 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:16 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:16 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:16 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip\eZinstall.exe password protected, has not been processed 3/24/2005 6:19:16 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:16 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin1.zip\lu.dat password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin1.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin2.zip\systb.dll password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin2.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin3.zip\wupdt.exe password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\IEPlugin3.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MySearch.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MySearch.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MySearch1.zip\bar/History/search password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MySearch1.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer1.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer1.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer2.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtualBouncer2.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer1.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer1.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer2.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer2.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer3.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer3.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer4.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer4.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer5.zip\sbRecovery.reg password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsMediaPlayer5.zip\sbRecovery.ini password protected, has not been processed 3/24/2005 6:19:17 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\randreco.exe is infected with a virus not-a-virus:AdWare.BetterInternet 3/24/2005 6:20:41 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\randreco.exe moved to the backup storage 3/24/2005 6:20:41 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\randreco.exe deleted 3/24/2005 6:20:41 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI1232.tmp\wupdt.exe is infected with a virus Trojan-Downloader.Win32.Intexp.c 3/24/2005 6:20:44 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI1232.tmp\wupdt.exe moved to the backup storage 3/24/2005 6:20:44 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI1232.tmp\wupdt.exe deleted 3/24/2005 6:20:44 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.cab\farmmext.exe is infected with a virus Trojan-Downloader.Win32.Stubby.c 3/24/2005 6:20:44 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.cab moved to the backup storage 3/24/2005 6:20:44 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.cab\farmmext.exe deleted 3/24/2005 6:20:44 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.exe is infected with a virus Trojan-Downloader.Win32.Stubby.c 3/24/2005 6:20:44 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.exe moved to the backup storage 3/24/2005 6:20:45 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI21FD.tmp\farmmext.exe deleted 3/24/2005 6:20:45 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI23F.tmp\wupdt.exe is infected with a virus Trojan-Downloader.Win32.Intexp.c 3/24/2005 6:20:45 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI23F.tmp\wupdt.exe moved to the backup storage 3/24/2005 6:20:45 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI23F.tmp\wupdt.exe deleted 3/24/2005 6:20:45 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI31FC.tmp\wupdt.exe is infected with a virus Trojan-Downloader.Win32.Intexp.c 3/24/2005 6:20:45 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI31FC.tmp\wupdt.exe moved to the backup storage 3/24/2005 6:20:45 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI31FC.tmp\wupdt.exe deleted 3/24/2005 6:20:45 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.cab\farmmext.exe is infected with a virus Trojan-Downloader.Win32.Stubby.c 3/24/2005 6:20:46 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.cab moved to the backup storage 3/24/2005 6:20:46 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.cab\farmmext.exe deleted 3/24/2005 6:20:46 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.exe is infected with a virus Trojan-Downloader.Win32.Stubby.c 3/24/2005 6:20:46 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.exe moved to the backup storage 3/24/2005 6:20:46 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI4580.tmp\farmmext.exe deleted 3/24/2005 6:20:46 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI471E.tmp\wupdt.exe is infected with a virus Trojan-Downloader.Win32.Intexp.c 3/24/2005 6:20:47 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI471E.tmp\wupdt.exe moved to the backup storage 3/24/2005 6:20:47 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI471E.tmp\wupdt.exe deleted 3/24/2005 6:20:47 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI5B67.tmp\wupdt.exe is infected with a virus Trojan-Downloader.Win32.Intexp.c 3/24/2005 6:20:47 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI5B67.tmp\wupdt.exe moved to the backup storage 3/24/2005 6:20:47 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI5B67.tmp\wupdt.exe deleted 3/24/2005 6:20:47 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI7BB5.tmp\wupdt.exe is infected with a virus Trojan-Downloader.Win32.Intexp.c 3/24/2005 6:20:48 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI7BB5.tmp\wupdt.exe moved to the backup storage 3/24/2005 6:20:48 PM
    C:\Documents and Settings\Dave Willoughby\Local Settings\Temp\THI7BB5.tmp\wupdt.exe deleted 3/24/2005 6:20:48 PM
    C:\WINDOWS\systb.exe\systb.dll is infected with a virus not-a-virus:AdWare.ToolBar.ImiBar.d 3/24/2005 6:46:33 PM
    C:\WINDOWS\systb.exe moved to the backup storage 3/24/2005 6:46:33 PM
    C:\WINDOWS\systb.exe\systb.dll deleted 3/24/2005 6:46:34 PM
    C:\WINDOWS\wupdsnff.exe is infected with a virus not-a-virus:AdWare.BetterInternet 3/24/2005 6:46:37 PM
    C:\WINDOWS\wupdsnff.exe moved to the backup storage 3/24/2005 6:46:37 PM
    C:\WINDOWS\wupdsnff.exe deleted 3/24/2005 6:46:38 PM
    C:\WINDOWS\system32\eliteptb32.exe is a Trojan Trojan.Win32.StartPage.nk 3/24/2005 7:25:35 PM
    C:\WINDOWS\system32\eliteptb32.exe moved to the backup storage 3/24/2005 7:25:35 PM
    C:\WINDOWS\system32\eliteptb32.exe deleted 3/24/2005 7:25:35 PM
    C:\WINDOWS\system32\elitervk32.exe is a Trojan Trojan.Win32.StartPage.nk 3/24/2005 7:25:36 PM
    C:\WINDOWS\system32\elitervk32.exe moved to the backup storage 3/24/2005 7:25:36 PM
    C:\WINDOWS\system32\elitervk32.exe deleted 3/24/2005 7:25:36 PM
    C:\WINDOWS\system32\mqexdlm.srg is infected with a virus not-a-virus:AdWare.BargainBuddy.q 3/24/2005 7:26:03 PM
    C:\WINDOWS\system32\mqexdlm.srg moved to the backup storage 3/24/2005 7:26:04 PM
    C:\WINDOWS\system32\mqexdlm.srg deleted 3/24/2005 7:26:04 PM
    C:\WINDOWS\system32\temperror32.dat is a Trojan Trojan.Win32.StartPage.nk 3/24/2005 7:26:51 PM
    C:\WINDOWS\system32\temperror32.dat moved to the backup storage 3/24/2005 7:26:51 PM
    C:\WINDOWS\system32\temperror32.dat deleted 3/24/2005 7:26:51 PM
    C:\WINDOWS\system32\Cache\adl_ibis_AS2.exe is infected with a virus Trojan-Downloader.Win32.Wintool.e 3/24/2005 7:27:17 PM
    C:\WINDOWS\system32\Cache\adl_ibis_AS2.exe moved to the backup storage 3/24/2005 7:27:17 PM
    C:\WINDOWS\system32\Cache\adl_ibis_AS2.exe deleted 3/24/2005 7:27:17 PM
    C:\WINDOWS\system32\Cache\AUNIcons.exe is infected with a virus Trojan-Downloader.Win32.Agent.jq 3/24/2005 7:27:18 PM
    C:\WINDOWS\system32\Cache\AUNIcons.exe moved to the backup storage 3/24/2005 7:27:18 PM
    C:\WINDOWS\system32\Cache\AUNIcons.exe deleted 3/24/2005 7:27:18 PM
    C:\WINDOWS\system32\Cache\CSv13P108.exe is a backdoor Backdoor.Win32.Ruledor.f 3/24/2005 7:27:18 PM
    C:\WINDOWS\system32\Cache\CSv13P108.exe moved to the backup storage 3/24/2005 7:27:18 PM
    C:\WINDOWS\system32\Cache\CSv13P108.exe deleted 3/24/2005 7:27:18 PM
    C:\WINDOWS\system32\Cache\cxtpls_loader.exe is infected with a virus Trojan-Downloader.Win32.Apropo.r 3/24/2005 7:27:19 PM
    C:\WINDOWS\system32\Cache\cxtpls_loader.exe moved to the backup storage 3/24/2005 7:27:19 PM
    C:\WINDOWS\system32\Cache\cxtpls_loader.exe deleted 3/24/2005 7:27:19 PM
    C:\WINDOWS\system32\Cache\EDow_AS2.exe is infected with a virus Trojan-Dropper.Win32.Agent.hl 3/24/2005 7:27:19 PM
    C:\WINDOWS\system32\Cache\EDow_AS2.exe moved to the backup storage 3/24/2005 7:27:19 PM
    C:\WINDOWS\system32\Cache\EDow_AS2.exe deleted 3/24/2005 7:27:19 PM
    C:\WINDOWS\system32\Cache\installer_MARKETING17.exe is infected with a virus Trojan-Downloader.Win32.Adload.a 3/24/2005 7:27:20 PM
    C:\WINDOWS\system32\Cache\installer_MARKETING17.exe moved to the backup storage 3/24/2005 7:27:20 PM
    C:\WINDOWS\system32\Cache\installer_MARKETING17.exe deleted 3/24/2005 7:27:20 PM
    C:\WINDOWS\system32\Cache\pop.exe is infected with a virus not-a-virus:AdWare.WinAD.ab 3/24/2005 7:27:21 PM
    C:\WINDOWS\system32\Cache\pop.exe moved to the backup storage 3/24/2005 7:27:21 PM
    C:\WINDOWS\system32\Cache\pop.exe deleted 3/24/2005 7:27:21 PM
    C:\WINDOWS\system32\Cache\Setup.exe/data0012 is a Trojan Trojan.Win32.VB.tg 3/24/2005 7:27:22 PM
    C:\WINDOWS\system32\Cache\Setup.exe moved to the backup storage 3/24/2005 7:27:23 PM
    C:\WINDOWS\system32\Cache\Setup.exe deleted 3/24/2005 7:27:24 PM
    C:\WINDOWS\system32\Cache\skh2.exe/data0003 is infected with a virus Trojan-Downloader.Win32.Small.aly 3/24/2005 7:27:24 PM
    C:\WINDOWS\system32\Cache\skh2.exe moved to the backup storage 3/24/2005 7:27:24 PM
    C:\WINDOWS\system32\Cache\skh2.exe deleted 3/24/2005 7:27:24 PM
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ERF9X01I\protector_update[1].exe is a Trojan Trojan.Win32.StartPage.nk 3/24/2005 7:27:31 PM
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ERF9X01I\protector_update[1].exe moved to the backup storage 3/24/2005 7:27:32 PM
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ERF9X01I\protector_update[1].exe deleted 3/24/2005 7:27:32 PM


    -------------------------------------------------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 8:24:14 PM, on 3/24/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\Dave Willoughby\My Documents\HijackThis\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (file missing)
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
    O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
    O4 - HKLM\..\Run: [o9b9kvmc] C:\Program Files\o9b9kvmc\o9b9kvmc.exe
    O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
    O4 - HKLM\..\Run: [ms04220442034] C:\WINDOWS\ms04220442034.exe
    O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
    O4 - HKLM\..\Run: [nmbix] C:\WINDOWS\nmbix.exe
    O4 - HKLM\..\Run: [ps7f3pP] shgip32.exe
    O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
    O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [YBopRfj2j] sentil.exe
    O4 - HKCU\..\Run: [Quahnpn] C:\WINDOWS\System32\??ool32.exe
    O4 - HKCU\..\Run: [rfqq] C:\PROGRA~1\COMMON~1\rfqq\rfqqm.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (file missing)

    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)

    O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe

    O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16

    O4 - HKLM\..\Run: [o9b9kvmc] C:\Program Files\o9b9kvmc\o9b9kvmc.exe

    O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe

    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe

    O4 - HKLM\..\Run: [ms04220442034] C:\WINDOWS\ms04220442034.exe

    O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe

    O4 - HKLM\..\Run: [nmbix] C:\WINDOWS\nmbix.exe

    O4 - HKLM\..\Run: [ps7f3pP] shgip32.exe

    O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"

    O4 - HKCU\..\Run: [YBopRfj2j] sentil.exe

    O4 - HKCU\..\Run: [Quahnpn] C:\WINDOWS\System32\??ool32.exe

    O4 - HKCU\..\Run: [rfqq] C:\PROGRA~1\COMMON~1\rfqq\rfqqm.exe

    O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm

    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)


    Restart to safe mode.

    How to start your computer in safe mode

    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Now find and delete these files:

    C:\WINDOWS\nmbix.exe
    C:\WINDOWS\ms04220442034.exe
    C:\WINDOWS\System32\exp.exe
    C:\WINDOWS\System32\wintask.exe
    C:\WINDOWS\System32\winupdt.exe
    sentil.exe
    shgip32.exe


    Delete these folders:

    C:\Program Files\o9b9kvmc
    C:\Program Files\Media Pass
    C:\Program Files\Ebates_MoeMoneyMaker
    C:\Program Files\Common Files\rfqq

    Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    Empty the Recycle Bin


    Boot back to Windows normally now.


    Go here and download Microsoft Antispyware Beta. First press file and check for updates and then run it.

    Let it fix anything that it finds (have it quarantine them rather than delete just in case. It is a beta program and there may be false positives)

    Restart your computer.

    Come back here and post another Hijack This log and we'll get rid of what's left.
     
  11. godenver

    godenver Thread Starter

    Joined:
    Mar 20, 2005
    Messages:
    8
    Followed your instructions, ran HijackThis and checked all the boxes. When I went to delete the remaining files you listed, the only ones that I could find and delete were:
    C:\WINDOWS\ms04220442034.exe
    C:\Program Files\Ebates_MoeMoneyMaker

    The following files were ones which I could not find in Windows Explorer or Start < Search:

    C:\WINDOWS\nmbix.exe
    C:\WINDOWS\System32\exp.exe
    C:\WINDOWS\System32\wintask.exe
    C:\WINDOWS\System32\winupdt.exe
    sentil.exe
    shgip32.exe

    C:\Program Files\o9b9kvmc
    C:\Program Files\Media Pass
    C:\Program Files\Common Files\rfqq


    So I ran HijackThis again. Here is the log:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:52:11 PM, on 3/26/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Dave Willoughby\My Documents\HijackThis\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
     
  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    The log looks fine.

    Was that log made in safe mode? If so, you need to boot to normal Windows and post a log run then.
     
  13. godenver

    godenver Thread Starter

    Joined:
    Mar 20, 2005
    Messages:
    8
    yes, i was running it in safe mode. so I ran HijackThis in normal windows mode, here is the log. also, the kapersky software is really slowing down my computer. is there something I can do about that, or should I just uninstall it?



    Logfile of HijackThis v1.99.1
    Scan saved at 8:08:13 PM, on 3/27/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\WINDOWS\System32\hphmon03.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Real\Update_OB\realevent.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Dave Willoughby\My Documents\HijackThis\hijackthis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
     
  14. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    Clean! (y)

    Now turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Restart your computer, turn System Restore back on and create a restore point.

    To create a restore point:

    Single-click Start and point to All Programs.
    Mouse over Accessories, then System Tools, and select System Restore.
    In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
    Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

    Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.
     
  15. godenver

    godenver Thread Starter

    Joined:
    Mar 20, 2005
    Messages:
    8
    awesome. thanks for the help. i do have one more question. ever since i've gotten this stuff on my computer, i get an error message whenever i restart my computer. The message says "Generic Host Process for Win32 Services encountered a problem and needed to close" what does that mean?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/343750