1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

help! hijackthis log included.

Discussion in 'Virus & Other Malware Removal' started by strutter78, Jul 22, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. strutter78

    strutter78 Thread Starter

    Joined:
    Jul 22, 2006
    Messages:
    45
    mcafee found several trojans on my system and deleted them. on startup system went to checkdisk and removed corrupt files. now i have multiple problems.
    #1 happens at startup and repeats 5 times while clicking cancel
    windows-no disk
    there is no disk in the drive.
    please insert a disk into drive\device\harddisk\dr3

    #2 happens even when I'm not on the internet
    internet explorer has encountered a problem and must close.
    etc.

    #3
    mcafee active shield has found a suspect file on your computer
    mcafee strongly recommends you scan your computer now.

    file is.
    C:\windows\system32\service.dll
    says it is adware-virtumundo
    can not clean can not delete.


    Logfile of HijackThis v1.99.1
    Scan saved at 8:33:34 AM, on 7/22/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehSched.exe
    C:\WINDOWS\system32\gearsec.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\USB Storage RW\shwicon.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\ehome\ehmsas.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
    O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
    O2 - BHO: (no name) - {36CB9CE7-AC39-42FD-8094-8C76AE11F720} - C:\WINDOWS\System32\vpjibqhk.dll
    O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
    O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: CIEPl Object - {6BB18EFE-F2C7-457C-81FE-705757171FA0} - C:\WINDOWS\system32\service.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
    O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
    O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
    O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
    O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXCab.CAB
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
    O20 - Winlogon Notify: cakjogqg - C:\WINDOWS\SYSTEM32\cakjogqg.dll
    O20 - Winlogon Notify: dtfobcfr - C:\WINDOWS\SYSTEM32\dtfobcfr.dll
    O20 - Winlogon Notify: itedogyu - C:\WINDOWS\SYSTEM32\itedogyu.dll
    O20 - Winlogon Notify: qjqievkk - C:\WINDOWS\SYSTEM32\qjqievkk.dll
    O20 - Winlogon Notify: service - C:\WINDOWS\SYSTEM32\service.dll
    O21 - SSODL: IEFilter - {2D3F5E1B-1A98-462E-8335-5F5CB3620FA7} - C:\WINDOWS\system32\IEFilter.dll
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi, Welcome to TSG!!

    I've moved your post to the Security Forum.

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
     
  3. strutter78

    strutter78 Thread Starter

    Joined:
    Jul 22, 2006
    Messages:
    45
    no infected files were found.
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Download Ewido anti-spyware from HERE and save that file to your desktop.

    This is a 30 day trial of the program
    1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
    2. Once the setup is complete you will need run ewido and update the definition files.
    3. On the main screen select the icon "Update" then select the "Update now" link.
      • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    6. Under "Reports"
      • Select "Automatically generate report after every scan"
      • Un-Select "Only if threats were found"
    Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
    1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
      IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
    2. Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
    3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    4. ewido will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    5. If you have any infections you will prompted, then select "Apply all actions"
    6. Next select the "Reports" icon at the top.
    7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    8. Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.


    Post a new HijackThis log and the log from Ewido.
     
  5. strutter78

    strutter78 Thread Starter

    Joined:
    Jul 22, 2006
    Messages:
    45
    will do.
    had to restart computer. process' running extremely slow and hanging. couldnt acess c drive to retrieve log. after reboot found log , no flies listed . internet needs to close now. hope this goes through.
     
  6. strutter78

    strutter78 Thread Starter

    Joined:
    Jul 22, 2006
    Messages:
    45
    link provided causes internet to lock up. found site and down loaded. cant run program

    ewido anti-spyware 4.0 exception
    something bad happened in the application. error diagnostic file saved to'c:\program files\ewido anti-spyware 4.0\ewido.err'

    i do not have a program that will open this log.

    downloaded again with same result when attempting to run program.
    also got same error during reboot after the windows-no disk errors.

    also noticed that my virus scan keeps becoming disabled.
     
  7. strutter78

    strutter78 Thread Starter

    Joined:
    Jul 22, 2006
    Messages:
    45
    by the way, i do have ad-aware se personal, spywareblaster and spybot search and destroy. and have ran them a few days ago.
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    If you are in safe mode and not connected to the internet it should not matter if McAfee is disabled while doing the Ewido scan.
     
  9. strutter78

    strutter78 Thread Starter

    Joined:
    Jul 22, 2006
    Messages:
    45
    i have not gotten to the point of starting in safe mode. the ewido program will not open. i have not been able to do anything past downloading it and attempting to update the deff. files. i get the application error.

    i have stopped enabling the virus scan. the system seems to run faster with less hangups.
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O2 - BHO: (no name) - {36CB9CE7-AC39-42FD-8094-8C76AE11F720} - C:\WINDOWS\System32\vpjibqhk.dll
    O2 - BHO: CIEPl Object - {6BB18EFE-F2C7-457C-81FE-705757171FA0} - C:\WINDOWS\system32\service.dll
    O20 - Winlogon Notify: cakjogqg - C:\WINDOWS\SYSTEM32\cakjogqg.dll
    O20 - Winlogon Notify: dtfobcfr - C:\WINDOWS\SYSTEM32\dtfobcfr.dll
    O20 - Winlogon Notify: itedogyu - C:\WINDOWS\SYSTEM32\itedogyu.dll
    O20 - Winlogon Notify: qjqievkk - C:\WINDOWS\SYSTEM32\qjqievkk.dll
    O20 - Winlogon Notify: service - C:\WINDOWS\SYSTEM32\service.dll
    O21 - SSODL: IEFilter - {2D3F5E1B-1A98-462E-8335-5F5CB3620FA7} - C:\WINDOWS\system32\IEFilter.dll

    Close all applications and browser windows before you click "fix checked".


    Please download Webroot SpySweeper from here: http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129

    (It's a 2 week trial.)

    * Click the Free Trial link under "SpySweeper" to download the program.
    * Install it. Once the program is installed, it will open.
    * It will prompt you to update to the latest definitions, click Yes.
    * Once the definitions are installed, click Options on the left side.
    * Click the Sweep Options tab.
    * Under What to Sweep please put a check next to the following:
    o Sweep Memory
    o Sweep Registry
    o Sweep Cookies
    o Sweep All User Accounts
    o Enable Direct Disk Sweeping
    o Sweep Contents of Compressed Files
    o Sweep for Rootkits

    o Please UNCHECK Do not Sweep System Restore Folder.

    * Click Sweep Now on the left side.
    * Click the Start button.
    * When it's done scanning, click the Next button.
    * Make sure everything has a check next to it, then click the Next button.
    * It will remove all of the items found.
    * Click Session Log in the upper right corner, copy everything in that window.
    * Click the Summary tab and click Finish.
    * Paste the contents of the session log you copied into your next reply.

    Also post a new Hijack This log.
     
  11. strutter78

    strutter78 Thread Starter

    Joined:
    Jul 22, 2006
    Messages:
    45
    a little info before i post the logs. may be pertinent may not. while running the spysweeper i got several popups saying a BHO is being installed. explorer.exe and vbmnnoob.dll. i blocked these. also after quarantining everything spysweeper found, it said there were some files it could not remove until restart. so i did a restart and during the initialization of processes i got the blue screen of death. with a message Stop: c000021a {fatal system error} the windows logon process system process terminated unexpectedly with a status of 0x80000003 (0x00000000 0x00000000) the system has been shut down
    i powered down and brought it back up and this did not happen again. virus scan did initialize this time by itself. the system seems to be running a little faster. still got the windows - no disk errors this time i noticed that when it says drive\device\harddisk\dr3, i click cancel the next one says \harddisk1\dr4, next one \harddisk2\dr5,next one \harddisk3\dr6. like i said, this may not matter for you diagnostic purposes . but i included it just in case. here are the logs:

    1:06 PM: Removal process completed. Elapsed time 00:01:14
    1:06 PM: A reboot was required but declined.
    1:06 PM: Quarantining All Traces: redzip cookie
    1:06 PM: Quarantining All Traces: expage cookie
    1:06 PM: Quarantining All Traces: burstbeacon cookie
    1:06 PM: Quarantining All Traces: webpower cookie
    1:06 PM: Quarantining All Traces: upspiral cookie
    1:06 PM: Quarantining All Traces: trb.com cookie
    1:06 PM: Quarantining All Traces: servlet cookie
    1:06 PM: Quarantining All Traces: reunion cookie
    1:06 PM: Quarantining All Traces: pricegrabber cookie
    1:06 PM: Quarantining All Traces: paypopup cookie
    1:06 PM: Quarantining All Traces: partypoker cookie
    1:06 PM: Quarantining All Traces: offeroptimizer cookie
    1:06 PM: Quarantining All Traces: realmedia cookie
    1:06 PM: Quarantining All Traces: mygeek cookie
    1:06 PM: Quarantining All Traces: touchclarity cookie
    1:06 PM: Quarantining All Traces: metareward.com cookie
    1:06 PM: Quarantining All Traces: kount cookie
    1:06 PM: Quarantining All Traces: infospace cookie
    1:06 PM: Quarantining All Traces: screensavers.com cookie
    1:06 PM: Quarantining All Traces: howstuffworks cookie
    1:06 PM: Quarantining All Traces: hitstats.net cookie
    1:06 PM: Quarantining All Traces: starware.com cookie
    1:06 PM: Quarantining All Traces: fastcompany cookie
    1:06 PM: Quarantining All Traces: exitexchange cookie
    1:06 PM: Quarantining All Traces: did-it cookie
    1:06 PM: Quarantining All Traces: dealtime cookie
    1:06 PM: Quarantining All Traces: overture cookie
    1:06 PM: Quarantining All Traces: 360i cookie
    1:06 PM: Quarantining All Traces: tickle cookie
    1:06 PM: Quarantining All Traces: classmates cookie
    1:06 PM: Quarantining All Traces: cassava cookie
    1:06 PM: Quarantining All Traces: casalemedia cookie
    1:06 PM: Quarantining All Traces: goclick cookie
    1:06 PM: Quarantining All Traces: enhance cookie
    1:06 PM: Quarantining All Traces: burstnet cookie
    1:06 PM: Quarantining All Traces: banner cookie
    1:06 PM: Quarantining All Traces: bannerspace cookie
    1:06 PM: Quarantining All Traces: azjmp cookie
    1:06 PM: Quarantining All Traces: atwola cookie
    1:06 PM: Quarantining All Traces: belnk cookie
    1:06 PM: Quarantining All Traces: ask cookie
    1:06 PM: Quarantining All Traces: tacoda cookie
    1:06 PM: Quarantining All Traces: affiliate cookie
    1:06 PM: Quarantining All Traces: ads.techtv.com cookie
    1:06 PM: Quarantining All Traces: adprofile cookie
    1:06 PM: Quarantining All Traces: specificclick.com cookie
    1:06 PM: Quarantining All Traces: hbmediapro cookie
    1:06 PM: Quarantining All Traces: adlegend cookie
    1:06 PM: Quarantining All Traces: adknowledge cookie
    1:06 PM: Quarantining All Traces: go.com cookie
    1:06 PM: Quarantining All Traces: adecn cookie
    1:06 PM: Quarantining All Traces: yieldmanager cookie
    1:06 PM: Quarantining All Traces: websponsors cookie
    1:06 PM: Quarantining All Traces: tribalfusion cookie
    1:06 PM: Quarantining All Traces: 64.62.232 cookie
    1:06 PM: Quarantining All Traces: 447 cookie
    1:06 PM: Quarantining All Traces: 216.221.138 cookie
    1:06 PM: Quarantining All Traces: 2o7.net cookie
    1:06 PM: Quarantining All Traces: statcounter cookie
    1:06 PM: Quarantining All Traces: nextag cookie
    1:06 PM: c:\windows\system32\protector.exe is in use. It will be removed on reboot.
    1:06 PM: c:\windows\prefetch\protector.exe-0a9fb328.pf is in use. It will be removed on reboot.
    1:06 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
    1:06 PM: Quarantining All Traces: potentially rootkit-masked files
    1:06 PM: C:\WINDOWS\system32\service.dll is in use. It will be removed on reboot.
    1:06 PM: virtumonde is in use. It will be removed on reboot.
    1:06 PM: Quarantining All Traces: virtumonde
    1:05 PM: Removal process initiated
    1:04 PM: BHO Shield: found: -- BHO installation denied at user request
    1:01 PM: Traces Found: 99
    1:01 PM: Full Sweep has completed. Elapsed time 00:28:48
    1:01 PM: File Sweep Complete, Elapsed Time: 00:26:53
    12:57 PM: c:\windows\system32\protector.exe (ID = 0)
    12:57 PM: c:\windows\prefetch\protector.exe-0a9fb328.pf (ID = 0)
    12:57 PM: Found System Monitor: potentially rootkit-masked files
    12:57 PM: Warning: Failed to access drive J:
    12:57 PM: Warning: Failed to access drive I:
    12:57 PM: Warning: Failed to access drive H:
    12:57 PM: Warning: Failed to access drive G:
    12:57 PM: Warning: Failed to access drive F:
    12:57 PM: Warning: Failed to access drive E:
    12:37 PM: BHO Shield: found: -- BHO installation denied at user request
    12:34 PM: Starting File Sweep
    12:34 PM: Warning: Failed to access drive A:
    12:34 PM: Cookie Sweep Complete, Elapsed Time: 00:00:09
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 3749)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 3615)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 3298)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 3250)
    12:34 PM: Found Spy Cookie: redzip cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2657)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 2638)
    12:34 PM: Found Spy Cookie: expage cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2729)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2337)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2335)
    12:34 PM: Found Spy Cookie: burstbeacon cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 1958)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 3660)
    12:34 PM: Found Spy Cookie: webpower cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 3614)
    12:34 PM: Found Spy Cookie: upspiral cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 3442)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 3587)
    12:34 PM: Found Spy Cookie: trb.com cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 6444)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2506)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 3345)
    12:34 PM: Found Spy Cookie: servlet cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 1958)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 3297)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2806)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected].paypopup[1].txt (ID = 3120)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 3255)
    12:34 PM: Found Spy Cookie: reunion cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2729)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 3185)
    12:34 PM: Found Spy Cookie: pricegrabber cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 3119)
    12:34 PM: Found Spy Cookie: paypopup cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 3111)
    12:34 PM: Found Spy Cookie: partypoker cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 3567)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 1958)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 3087)
    12:34 PM: Found Spy Cookie: offeroptimizer cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 5014)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 3236)
    12:34 PM: Found Spy Cookie: realmedia cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 3041)
    12:34 PM: Found Spy Cookie: mygeek cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 1958)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 3566)
    12:34 PM: Found Spy Cookie: touchclarity cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2990)
    12:34 PM: Found Spy Cookie: metareward.com cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2911)
    12:34 PM: Found Spy Cookie: kount cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2865)
    12:34 PM: Found Spy Cookie: infospace cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 3298)
    12:34 PM: Found Spy Cookie: screensavers.com cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2805)
    12:34 PM: Found Spy Cookie: howstuffworks cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 2791)
    12:34 PM: Found Spy Cookie: hitstats.net cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 3442)
    12:34 PM: Found Spy Cookie: starware.com cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2728)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 2655)
    12:34 PM: Found Spy Cookie: fastcompany cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2633)
    12:34 PM: Found Spy Cookie: exitexchange cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 1958)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 2293)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2293)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2729)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2523)
    12:34 PM: Found Spy Cookie: did-it cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 2505)
    12:34 PM: Found Spy Cookie: dealtime cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 3106)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 3106)
    12:34 PM: Found Spy Cookie: overture cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 1962)
    12:34 PM: Found Spy Cookie: 360i cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 3530)
    12:34 PM: Found Spy Cookie: tickle cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2384)
    12:34 PM: Found Spy Cookie: classmates cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 2362)
    12:34 PM: Found Spy Cookie: cassava cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 2354)
    12:34 PM: Found Spy Cookie: casalemedia cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 2733)
    12:34 PM: Found Spy Cookie: goclick cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2614)
    12:34 PM: Found Spy Cookie: enhance cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 2336)
    12:34 PM: Found Spy Cookie: burstnet cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 1958)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 2292)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2276)
    12:34 PM: Found Spy Cookie: banner cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2284)
    12:34 PM: Found Spy Cookie: bannerspace cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2270)
    12:34 PM: Found Spy Cookie: azjmp cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2255)
    12:34 PM: Found Spy Cookie: atwola cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2293)
    12:34 PM: Found Spy Cookie: belnk cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 2245)
    12:34 PM: Found Spy Cookie: ask cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 6445)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 6445)
    12:34 PM: Found Spy Cookie: tacoda cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2199)
    12:34 PM: Found Spy Cookie: affiliate cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2073)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 2129)
    12:34 PM: Found Spy Cookie: ads.techtv.com cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 2084)
    12:34 PM: Found Spy Cookie: adprofile cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 3400)
    12:34 PM: Found Spy Cookie: specificclick.com cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 2768)
    12:34 PM: Found Spy Cookie: hbmediapro cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2074)
    12:34 PM: Found Spy Cookie: adlegend cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected]nowledge[2].txt (ID = 2072)
    12:34 PM: Found Spy Cookie: adknowledge cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2729)
    12:34 PM: Found Spy Cookie: go.com cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 2063)
    12:34 PM: Found Spy Cookie: adecn cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 3751)
    12:34 PM: Found Spy Cookie: yieldmanager cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 3665)
    12:34 PM: Found Spy Cookie: websponsors cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 3590)
    12:34 PM: Found Spy Cookie: tribalfusion cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][4].txt (ID = 1987)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][3].txt (ID = 1987)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 1987)
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 1987)
    12:34 PM: Found Spy Cookie: 64.62.232 cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 1973)
    12:34 PM: Found Spy Cookie: 447 cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][1].txt (ID = 1947)
    12:34 PM: Found Spy Cookie: 216.221.138 cookie
    12:34 PM: c:\documents and settings\mom.dadscomputer\cookies\[email protected][2].txt (ID = 1958)
    12:34 PM: Found Spy Cookie: 2o7.net cookie
    12:34 PM: c:\documents and settings\administrator\cookies\administer [email protected][2].txt (ID = 3447)
    12:34 PM: Found Spy Cookie: statcounter cookie
    12:34 PM: c:\documents and settings\administrator\cookies\administer [email protected][1].txt (ID = 5014)
    12:34 PM: Found Spy Cookie: nextag cookie
    12:34 PM: Starting Cookie Sweep
    12:34 PM: Registry Sweep Complete, Elapsed Time:00:00:22
    12:34 PM: HKLM\software\classes\iepl.iepl.1\ (ID = 1064409)
    12:34 PM: HKLM\software\classes\iepl.iepl\ (ID = 1064403)
    12:34 PM: HKCR\iepl.iepl.1\ (ID = 1064376)
    12:34 PM: HKCR\iepl.iepl\ (ID = 1064370)
    12:34 PM: Starting Registry Sweep
    12:34 PM: Memory Sweep Complete, Elapsed Time: 00:01:14
    12:33 PM: BHO Shield: found: vbmnnoob.dll-- BHO installation denied at user request
    12:33 PM: BHO Shield: found: vbmnnoob.dll-- BHO installation denied at user request
    12:33 PM: BHO Shield: found: vbmnnoob.dll-- BHO installation denied at user request
    12:33 PM: BHO Shield: found: vbmnnoob.dll-- BHO installation denied at user request
    12:32 PM: Detected running threat: C:\WINDOWS\system32\service.dll (ID = 394)
    12:32 PM: Found Adware: virtumonde
    12:32 PM: Starting Memory Sweep
    12:32 PM: Sweep initiated using definitions version 691
    12:32 PM: Spy Sweeper 5.0.5.1286 started
    12:32 PM: | Start of Session, Saturday, July 22, 2006 |
    ********
    12:32 PM: | End of Session, Saturday, July 22, 2006 |
    12:28 PM: BHO Shield: found: -- BHO installation denied at user request
    12:28 PM: BHO Shield: found: -- BHO installation denied at user request
    12:27 PM: BHO Shield: found: -- BHO installation denied at user request
    12:26 PM: BHO Shield: found: -- BHO installation denied at user request
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    12:24 PM: Warning: Access is denied
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    12:23 PM: Shield States
    12:23 PM: Spyware Definitions: 691
    12:21 PM: Spy Sweeper 5.0.5.1286 started
    12:21 PM: Spy Sweeper 5.0.5.1286 started
    12:21 PM: | Start of Session, Saturday, July 22, 2006 |
    ********
     
  12. strutter78

    strutter78 Thread Starter

    Joined:
    Jul 22, 2006
    Messages:
    45
    text to long. had to split it up.


    Logfile of HijackThis v1.99.1
    Scan saved at 1:21:12 PM, on 7/22/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\USB Storage RW\shwicon.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\ehome\ehmsas.exe
    C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\WINDOWS\ehome\ehSched.exe
    C:\Program Files\Support.com\BellSouth\hcenter.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\system32\gearsec.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\McAfee.com\VSO\mcvsshld.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\McAfee.com\VSO\oasclnt.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\System32\ctfmon.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\Service.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
    O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
    O2 - BHO: (no name) - {36CB9CE7-AC39-42FD-8094-8C76AE11F720} - C:\WINDOWS\System32\lruifbih.dll
    O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
    O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: CIEPl Object - {6BB18EFE-F2C7-457C-81FE-705757171FA0} - C:\WINDOWS\system32\service.dll (file missing)
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
    O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
    O4 - HKLM\..\Run: [VOBRegCheck] "C:\WINDOWS\System32\VOBREGCheck.exe" -CheckReg
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
    O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
    O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
    O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
    O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXCab.CAB
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
    O20 - Winlogon Notify: cakjogqg - C:\WINDOWS\SYSTEM32\cakjogqg.dll
    O20 - Winlogon Notify: dtfobcfr - C:\WINDOWS\SYSTEM32\dtfobcfr.dll
    O20 - Winlogon Notify: itedogyu - C:\WINDOWS\SYSTEM32\itedogyu.dll
    O20 - Winlogon Notify: qjqievkk - C:\WINDOWS\SYSTEM32\qjqievkk.dll
    O20 - Winlogon Notify: service - service.dll (file missing)
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: ewido anti-spyware 4.0 guard - Unknown owner - C:\Program Files\ewido anti-spyware 4.0\guard.exe (file missing)
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
     
  13. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Do you have your disk partitioned into multiple drives or do you have multiple HD?
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O2 - BHO: (no name) - {36CB9CE7-AC39-42FD-8094-8C76AE11F720} - C:\WINDOWS\System32\lruifbih.dll
    O2 - BHO: CIEPl Object - {6BB18EFE-F2C7-457C-81FE-705757171FA0} - C:\WINDOWS\system32\service.dll (file missing)
    O20 - Winlogon Notify: cakjogqg - C:\WINDOWS\SYSTEM32\cakjogqg.dll
    O20 - Winlogon Notify: dtfobcfr - C:\WINDOWS\SYSTEM32\dtfobcfr.dll
    O20 - Winlogon Notify: itedogyu - C:\WINDOWS\SYSTEM32\itedogyu.dll
    O20 - Winlogon Notify: qjqievkk - C:\WINDOWS\SYSTEM32\qjqievkk.dll
    O20 - Winlogon Notify: service - service.dll (file missing)

    Close all applications and browser windows before you click "fix checked".


    Click Here and download Killbox and save it to your desktop.



    Double-click on Killbox.exe to run it.
    Put a tick by Delete on Reboot.
    Copy the following list of files to clipboard, CTRL+C to copy
    Now in Killbox go to File, Paste from clipboard.
    Click the All Files button.
    Click on the button that has the red circle with the X in the middle.
    It will ask for confimation to delete the file.
    Click Yes.
    It will ask if you want to reboot now,
    Click Yes.

    After the reboot post your log again.
     
  15. strutter78

    strutter78 Thread Starter

    Joined:
    Jul 22, 2006
    Messages:
    45
    there is a drive C and D. D drive is for system recovery.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/485343

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice