1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help Me Please!

Discussion in 'Virus & Other Malware Removal' started by maspears, Feb 4, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. maspears

    maspears Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    65
    I seem to have gotten a trojan horse last night. As I am relatively dumb when it comes to these things, I need some help in what to do. From reading other peoples posts, I downloaded hijack this already. Here is my logfile:

    Logfile of HijackThis v1.99.0
    Scan saved at 6:33:35 AM, on 2/4/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\drivers\dcfssvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\SK9910DM.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\igfxtray.exe
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\PhoneTools\CapFax.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINNT\system32\RUNDLL32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\winnt\system32\vkvxkcm.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINNT\system32\RUNDLL32.exe
    C:\winnt\system32\calc.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    C:\WINNT\System32\HPZipm12.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\HPZENG09.exe
    C:\Documents and Settings\Owner\My Documents\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.snip.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SNiP
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
    O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINNT\ZServ.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [stcloader] C:\WINNT\system32\stcloader.exe
    O4 - HKLM\..\Run: [vkvxkcm] c:\winnt\system32\vkvxkcm.exe
    O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvmix32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.snip.net
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install007.exe
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {A23D7C20-CABA-11CF-A5D4-00AA00A47DD2} - http://www.bakers.com/Default.htm
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{53D3551A-D509-4AC5-892D-2FA3F9F55AE4}: NameServer = 209.204.64.2 209.204.64.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{53D3551A-D509-4AC5-892D-2FA3F9F55AE4}: NameServer = 209.204.64.2 209.204.64.3
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
    O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


    I would really appreciate any help. Thanks a lot!!!!
     
  2. crushbone

    crushbone

    Joined:
    Aug 5, 2004
    Messages:
    1,137
    Hello maspears and Welcome to TSG! :D

    Run HijackThis and fix the following entries:

    R3 - Default URLSearchHook is missing

    O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINNT\ZServ.dll

    O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)

    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

    O4 - HKLM\..\Run: [stcloader] C:\WINNT\system32\stcloader.exe

    O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvmix32.exe

    O4 - Startup: PowerReg Scheduler V3.exe

    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install007.exe

    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/min...ransporter.cab?


    Download Ad-Aware SE from here:
    http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button

    Install and run Ad-Aware SE. On the bottom right corner of Ad-Aware you will see an option called "Check for updates now", click on that and choose "connect". Download the updates. Next click on "Scan now" on the left side of Ad-Aware. Make sure that "Search for negligible risk entries" is crossed out and not ticked. Choose "Perform full system scan" and click "Next". After Ad-Aware scans your computer, Ad-Aware may find some bad files on your computer so make sure you tick them all and choose "Next". It will ask if you want to remove those items so just continue. After removing the items close Ad-Aware.

    Download Spybot S&D from here:
    http://users.skynet.be/fa936042/spybotsd13.exe

    Install and run Spybot S&D. Choose "Search for updates". Next choose "Download updates". After that, choose "Search and Destroy" and click on "Check for problems". If Spybot finds any nasties on your computer, make sure that they are ticked and choose "Fix selected problems".

    Download SpywareBlaster from here:
    http://www.majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef

    Install and run SpywareBlaster. Click on "Updates" and then choose "Check for updates". Next choose "Protection" and at the top you will see different tabs which are Internet Explorer, Restricted sites and Mozilla/Firefox. Choose one of them at a time and at the bottom click "Protect Against Checked Items" (make sure that all of the items are checked). Tick the boxes above the items. Make sure you do this for all of the top tabs. Mozilla/Firefox you only need to do if you have the user profiles on your computer. You may now exit out of SpywareBlaster.

    Restart your computer and post a fresh HijackThis log back on this thread.
     
  3. maspears

    maspears Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    65
    Thanks for the info. Unfortunately, I am at work right now, and won't be able to work on this till this evening. Will following these steps take care of the problem? Like I said, I don't know much about this.....
     
  4. maspears

    maspears Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    65
    Ok, I did everything you said in your last post, and here is my latest HJT log....


    Logfile of HijackThis v1.99.0
    Scan saved at 7:50:37 AM, on 2/5/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\drivers\dcfssvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\SK9910DM.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\igfxtray.exe
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\PhoneTools\CapFax.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\winnt\system32\vkvxkcm.exe
    C:\Program Files\NaviSearch\bin\nls.exe
    C:\WINNT\system32\niaqy\quuevea.exe
    C:\WINNT\system32\rxwof\stbotvwh.exe
    C:\WINNT\system32\ikwkdvj\ctni.exe
    C:\WINNT\system32\wqkxcd\nyaj.exe
    C:\winnt\system32\packager.exe
    C:\WINNT\system32\cgpt\klvd.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\ICD2.tmp\svcmm32.exe
    C:\docume~1\owner\locals~1\temp\180ax.exe
    C:\WINNT\system32\iexfldr.exe
    C:\WINNT\system32\dmvlite.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Bpt\bpt.exe
    C:\WINNT\ldbcxdvol.exe
    C:\WINNT\system32\secure.exe
    C:\WINNT\newpop63.exe
    C:\WINNT\system32\wsxsvc\wsxsvc.exe
    C:\WINNT\system32\vmss\vmss.exe
    C:\WINNT\system32\iep0_32.exe
    C:\Documents and Settings\Owner\Application Data\dees.exe
    C:\WINNT\system32\prutnct.exe
    C:\WINNT\system32\prutnct.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\CashBack\bin\cashback.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\Program Files\hijack\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.snip.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SNiP
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
    O2 - BHO: (no name) - {00000049-8F91-4D9C-9573-F016E7626484} - (no file)
    O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
    O2 - BHO: (no name) - {33B2103A-30E0-92B4-9507-2C89526DFC33} - C:\WINNT\system32\xfjevkfp\qmptfmtq.dll
    O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\system32\nvms.dll
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\system32\mscb.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [vkvxkcm] c:\winnt\system32\vkvxkcm.exe
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [quuevea] C:\WINNT\system32\niaqy\quuevea.exe
    O4 - HKLM\..\Run: [stbotvwh] C:\WINNT\system32\rxwof\stbotvwh.exe
    O4 - HKLM\..\Run: [ctni] C:\WINNT\system32\ikwkdvj\ctni.exe
    O4 - HKLM\..\Run: [nyaj] C:\WINNT\system32\wqkxcd\nyaj.exe
    O4 - HKLM\..\Run: [klvd] C:\WINNT\system32\cgpt\klvd.exe
    O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvmix32.exe
    O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\Owner\LOCALS~1\Temp\ICD2.tmp\svcmm32.exe" /startup
    O4 - HKLM\..\Run: [180ax] c:\docume~1\owner\locals~1\temp\180ax.exe
    O4 - HKLM\..\Run: [s72T3tj] iexfldr.exe
    O4 - HKLM\..\Run: [skyhn] C:\WINNT\system32\dmvlite.exe
    O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
    O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
    O4 - HKLM\..\Run: [Xcpy1] "C:\Program Files\Common Files\Java\Xcpy1.exe"
    O4 - HKLM\..\Run: [version] C:\WINNT\system32\dealhelper.exe
    O4 - HKLM\..\Run: [C:\WINNT\ldbcxdvol.exe] C:\WINNT\ldbcxdvol.exe
    O4 - HKLM\..\Run: [secure] C:\WINNT\system32\secure.exe
    O4 - HKLM\..\Run: [popuppers] C:\WINNT\newpop63.exe
    O4 - HKLM\..\Run: [Dvx] C:\WINNT\system32\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [vmss] C:\WINNT\system32\vmss\vmss.exe
    O4 - HKLM\..\Run: [AutoLoaders0tv1ZWWMMPJ] "C:\WINNT\system32\iexfldr.exe" /HideDir /HideUninstall /PC="CP.RAZR" /ShowLegalNote="nonbranded"
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [dwt3RjH2X] iep0_32.exe
    O4 - HKCU\..\Run: [Ltho] C:\Documents and Settings\Owner\Application Data\dees.exe
    O4 - HKCU\..\Run: [prutnct] C:\WINNT\system32\prutnct.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.snip.net
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.popuppers.com
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download/bargain_buddy/cab/installer_MARKETING10.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {A23D7C20-CABA-11CF-A5D4-00AA00A47DD2} - http://www.bakers.com/Default.htm
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {FDCC1518-6A63-11D9-AAC8-91EC5E497716} - http://www.ouchvideo.com/mmviewer_emg11.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{53D3551A-D509-4AC5-892D-2FA3F9F55AE4}: NameServer = 209.204.64.2 209.204.64.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{53D3551A-D509-4AC5-892D-2FA3F9F55AE4}: NameServer = 209.204.64.2 209.204.64.3
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
    O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe



    What do I need to do now?
     
  5. crushbone

    crushbone

    Joined:
    Aug 5, 2004
    Messages:
    1,137
    WOW! Your log is in a real mess compared to the first post. :eek:
    What have you been doing? :confused:

    First run ALL of the programs that I got you to download.

    Download DelDomains from here:
    http://www.mvps.org/winhelp2002/DelDomains.inf

    After downloading the file, Right-Click and select "Install". This will get rid of the O15 entries in HijackThis.

    Open Internet Explorer and at the top click on "Tools" and choose "Internet Options". Click on the "Advanced" tab and untick "Enable third-party browser extensions". Click on "Apply" then "OK".

    Download PeperFix from here:
    http://www.bleepingcomputer.com/files/peperremover.php

    Go to My Computer and click on the "Tools" tab at the top. Click on "View" and under the "Hidden files and folders" tab, put a green dot next to "Show hidden files and folders".

    Run PeperFix and click on "Find and Fix".

    Open Internet Explorer and click on "Tools" then "Internet Options". Click on "Delete files" and tick "Delete all offline content" and click "OK" and "OK" again.

    If you have any Anti-Virus software could you please do a full system scan.

    Restart your computer and post a fresh HijackThis log back on this thread.
     
  6. maspears

    maspears Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    65
    OK :( . I only did what you had said in the last post though. I will run all programs again, restart, and post a fresh Hijack This log afterwards.
     
  7. crushbone

    crushbone

    Joined:
    Aug 5, 2004
    Messages:
    1,137
    Make sure you do everything in my previous post before posting the HijackThis log.
     
  8. maspears

    maspears Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    65
    Ok, I did everything in your previous post. Here is the latest log:


    Logfile of HijackThis v1.99.0
    Scan saved at 10:15:15 AM, on 2/5/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\drivers\dcfssvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\SK9910DM.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\igfxtray.exe
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\PhoneTools\CapFax.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\system32\niaqy\quuevea.exe
    C:\WINNT\system32\rxwof\stbotvwh.exe
    C:\WINNT\system32\ikwkdvj\ctni.exe
    C:\WINNT\system32\wqkxcd\nyaj.exe
    C:\WINNT\system32\cgpt\klvd.exe
    C:\WINNT\system32\dmvlite.exe
    C:\WINNT\system32\secure.exe
    C:\WINNT\newpop63.exe
    C:\WINNT\system32\wsxsvc\wsxsvc.exe
    C:\WINNT\system32\vmss\vmss.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINNT\system32\webtils.exe
    C:\WINNT\system32\vkvmsman.exe
    C:\Documents and Settings\Owner\Application Data\dees.exe
    C:\WINNT\system32\wuauclt.exe
    C:\WINNT\system32\prutnct.exe
    C:\WINNT\system32\prutnct.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    C:\WINNT\System32\HPZipm12.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
    C:\Program Files\hijack\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.snip.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SNiP
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
    O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
    O2 - BHO: (no name) - {33B2103A-30E0-92B4-9507-2C89526DFC33} - C:\WINNT\system32\xfjevkfp\qmptfmtq.dll
    O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [vkvxkcm] c:\winnt\system32\vkvxkcm.exe
    O4 - HKLM\..\Run: [quuevea] C:\WINNT\system32\niaqy\quuevea.exe
    O4 - HKLM\..\Run: [stbotvwh] C:\WINNT\system32\rxwof\stbotvwh.exe
    O4 - HKLM\..\Run: [ctni] C:\WINNT\system32\ikwkdvj\ctni.exe
    O4 - HKLM\..\Run: [nyaj] C:\WINNT\system32\wqkxcd\nyaj.exe
    O4 - HKLM\..\Run: [klvd] C:\WINNT\system32\cgpt\klvd.exe
    O4 - HKLM\..\Run: [skyhn] C:\WINNT\system32\dmvlite.exe
    O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
    O4 - HKLM\..\Run: [version] C:\WINNT\system32\dealhelper.exe
    O4 - HKLM\..\Run: [secure] C:\WINNT\system32\secure.exe
    O4 - HKLM\..\Run: [popuppers] C:\WINNT\newpop63.exe
    O4 - HKLM\..\Run: [Dvx] C:\WINNT\system32\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [vmss] C:\WINNT\system32\vmss\vmss.exe
    O4 - HKLM\..\Run: [s72T3tj] webtils.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [dwt3RjH2X] vkvmsman.exe
    O4 - HKCU\..\Run: [Ltho] C:\Documents and Settings\Owner\Application Data\dees.exe
    O4 - HKCU\..\Run: [prutnct] C:\WINNT\system32\prutnct.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.snip.net
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.popuppers.com
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/download/bargain_buddy/cab/installer_MARKETING10.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {A23D7C20-CABA-11CF-A5D4-00AA00A47DD2} - http://www.bakers.com/Default.htm
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {FDCC1518-6A63-11D9-AAC8-91EC5E497716} - http://www.ouchvideo.com/mmviewer_emg11.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{53D3551A-D509-4AC5-892D-2FA3F9F55AE4}: NameServer = 209.204.64.2 209.204.64.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{53D3551A-D509-4AC5-892D-2FA3F9F55AE4}: NameServer = 209.204.64.2 209.204.64.3
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
    O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)



    I'm starting to get really frustrated :(
     
  9. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    The security section is quite busy. You will need to be patient.

    I believe you are going to need additional help here as this problem is more difficult to fix. Let me see who I can find to assist. Starting a new thread is NOT the thing to do in any event.
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    I'm working out a fix back with you in few minutes
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,196
    Too slow....
     
  12. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Sorry about the email mix up guys, this was the thread I meant :eek: Just look for a post from me in the security forums and usually that's it :D :D
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    Read all these instructions carefully, Print them out and download all the things mentioned before starting


    Download pocket killbox from Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

    Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.

    Now boot into safe mode

    How to start your computer in safe mode

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
    O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
    O2 - BHO: (no name) - {33B2103A-30E0-92B4-9507-2C89526DFC33} - C:\WINNT\system32\xfjevkfp\qmptfmtq.dll
    O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll

    O4 - HKLM\..\Run: [vkvxkcm] c:\winnt\system32\vkvxkcm.exe
    O4 - HKLM\..\Run: [quuevea] C:\WINNT\system32\niaqy\quuevea.exe
    O4 - HKLM\..\Run: [stbotvwh] C:\WINNT\system32\rxwof\stbotvwh.exe
    O4 - HKLM\..\Run: [ctni] C:\WINNT\system32\ikwkdvj\ctni.exe
    O4 - HKLM\..\Run: [nyaj] C:\WINNT\system32\wqkxcd\nyaj.exe
    O4 - HKLM\..\Run: [klvd] C:\WINNT\system32\cgpt\klvd.exe
    O4 - HKLM\..\Run: [skyhn] C:\WINNT\system32\dmvlite.exe
    O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
    O4 - HKLM\..\Run: [version] C:\WINNT\system32\dealhelper.exe
    O4 - HKLM\..\Run: [secure] C:\WINNT\system32\secure.exe
    O4 - HKLM\..\Run: [popuppers] C:\WINNT\newpop63.exe
    O4 - HKLM\..\Run: [Dvx] C:\WINNT\system32\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [vmss] C:\WINNT\system32\vmss\vmss.exe
    O4 - HKLM\..\Run: [s72T3tj] webtils.exe

    O4 - HKCU\..\Run: [dwt3RjH2X] vkvmsman.exe
    O4 - HKCU\..\Run: [Ltho] C:\Documents and Settings\Owner\Application Data\dees.exe
    O4 - HKCU\..\Run: [prutnct] C:\WINNT\system32\prutnct.exe

    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.popuppers.com

    O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/d...MARKETING10.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...up1.0.0.8-2.cab

    O16 - DPF: {A23D7C20-CABA-11CF-A5D4-00AA00A47DD2} - http://www.bakers.com/Default.htm

    O16 - DPF: {FDCC1518-6A63-11D9-AAC8-91EC5E497716} - http://www.ouchvideo.com/mmviewer_emg11.cab

    O23 - Service: ZESOFT - Unknown - C:\WINNT\zeta.exe (file missing)


    now run killbox and paste each of these lines into the box, select delete on reboot then press the red X button,say yes to the prompt but say NO to reboot now then continue to paste the lines in in turn and follow the above procedure every time, DO NOT let it reboot yet

    C:\WINNT\zeta.exe
    C:\WINNT\system32\prutnct.exe
    C:\Documents and Settings\Owner\Application Data\dees.exe
    C:\WINNT\system32\vkvmsman.exe
    C:\WINNT\system32\webtils.exe
    C:\WINNT\system32\vmss\vmss.exe
    C:\WINNT\system32\wsxsvc\wsxsvc.exe
    C:\WINNT\newpop63.exe
    C:\WINNT\system32\secure.exe
    C:\WINNT\system32\dealhelper.exe
    C:\Program Files\Bpt\bpt.exe
    C:\WINNT\system32\dmvlite.exe
    C:\WINNT\system32\cgpt\klvd.exe
    C:\WINNT\system32\wqkxcd\nyaj.exe
    C:\WINNT\system32\ikwkdvj\ctni.exe
    C:\WINNT\system32\rxwof\stbotvwh.exe
    C:\WINNT\system32\niaqy\quuevea.exe
    c:\winnt\system32\vkvxkcm.exe
    C:\Program Files\E2G\IeBHOs.dll
    C:\WINNT\system32\xfjevkfp\qmptfmtq.dll


    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    then delete these folders

    C:\Program Files\MyWebSearch
    C:\WINNT\system32\vmss\
    C:\WINNT\system32\wsxsvc\
    C:\Program Files\Bpt\
    C:\WINNT\system32\cgpt\
    C:\WINNT\system32\wqkxcd\
    C:\WINNT\system32\ikwkdvj\
    C:\WINNT\system32\rxwof\
    C:\WINNT\system32\niaqy\
    C:\Program Files\E2G\
    C:\WINNT\system32\xfjevkfp\


    then Go to Start > Run and type %temp% in the Run box, press OK . The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of that Temp folder.


    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    Now REBOOT

    then
    Run adaware

    Download and unzip or install this program/application if you haven't already got it. If you have it, then make sure it is updated and configured as described

    AdAware SE from http://www.lavasoft.de/support/download
    and while you are at the adaware site download and install http://www.lavasoft.de/software/addons/vx2cleaner.shtml
    and run it before the main adaware scan and follow it's directions
    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least SE1R26 25.01.2005 or a higher number/later date

    Set up the Configurations as follows:

    General Button
    Safety:
    Check (Green) all three.

    Click on "Proceed"

    Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

    Click on "Scan Now"

    Run the scanner using the Full Scan (Perform full system scan) mode.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    Before scanning with adaware open adaware and click status and then click open ignore list, select everything on the ignore list and then click remove then restart adaware ( one of the pests you have does this to all security software inluding adaware & spybot, so if you also use spoybot do the same for that and remove everythung from the ignore or exclude list)
    NOW REBOOT

    download http://www.mvps.org/winhelp2002/DelDomains.inf and place it on desktop
    right click the file and select install, that will reset the trusted zone domains that have been wrongly placed there

    Run an online antivirus check from
    http://housecall.trendmicro.com/

    Make sure autoclean is ticked

    reboot again

    These hijackers are known to alter or delete certain files so check this out please:

    Download the Hoster from here . UnZip the file and run hoster then press "Restore Original Hosts" and press "OK". Exit Program.

    Then post a new hijackthis log to check please
     
  14. maspears

    maspears Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    65
    Ok, I did everything you said to do in the last post...here is the latest HJT scan log:

    Logfile of HijackThis v1.99.0
    Scan saved at 3:04:02 PM, on 2/5/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\drivers\dcfssvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\SK9910DM.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\igfxtray.exe
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\PhoneTools\CapFax.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    C:\WINNT\System32\HPZipm12.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\hijack\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.snip.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SNiP
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.snip.net
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{53D3551A-D509-4AC5-892D-2FA3F9F55AE4}: NameServer = 209.204.64.2 209.204.64.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{53D3551A-D509-4AC5-892D-2FA3F9F55AE4}: NameServer = 209.204.64.2 209.204.64.3
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINNT\system32\drivers\dcfssvc.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
    O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


    Are we getting close?
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    It looks good

    No obvious signs of anything now

    Did adaware run and manage to find anything

    I would also do this

    Turn off system restore by following instructions here
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

    go here http://forums.techguy.org/t208517/s.html for info on how to tighten your security settings and how to help prevent future attacks.

    and then

    Download and install the Micro$oft antispyware BETA from http://www.microsoft.com/athome/security/spyware/software/default.mspx and let it fix anything it finds (when it finds things, please quarantine them rather than delete just in case as it is a beta and occasional False positives happen)

    First press file and check for updates and then run it

    Recent tests suggest that a combination of Adaware & M$AS removes approx 80% of spywares/Adwares, much higher than any other combination

    If you have any more problems post back
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/326625

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice