Help Please

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

garymalibog

Thread Starter
Joined
Jan 19, 2005
Messages
24
Here is a copy of my HJT log. I have run AVG, S&D & Adaware...
Where are all these changes continually coming from, any ideas.

Logfile of HijackThis v1.99.1
Scan saved at 3:32:17 PM, on 6/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Security\AVG\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\System32\winldra.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\SKYPE\Phone\Skype.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Security\Kremlin\Kremlin Sentry.exe
C:\PROGRA~1\Security\AVG\avgamsvr.exe
C:\PROGRA~1\Security\AVG\avgupsvc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Security\MSAntispy\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Security\HiJackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Security\Spybot\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Security\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Security\MSAntispy\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Skype] "C:\Program Files\SKYPE\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Startup: Kremlin Sentry.LNK = C:\Program Files\Security\Kremlin\Kremlin Sentry.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120410371968
O16 - DPF: {9F9D249E-A410-40BB-8CEB-0956D2B7D79B} (ClientAX Control) - http://www.camguest.com/activex/ClientAX.ocx
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/hVideoContol.cab
O16 - DPF: {BAA2D792-6F4E-4BCC-B7A0-24E19B2A9BA1} (Eyeball Video Mail Control) - http://imlive.com/ChatSource/hVideoContol.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Security\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Security\AVG\avgupsvc.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,126
Go here to download CCleaner.
  • Install CCleaner
  • Launch CCleaner and look in the upper right corner and click on the "Options" button.
  • Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
  • Click OK
  • Do not run CCleaner yet. You will run it later in safe mode.


Download the trial version of Ewido Security Suite here.
  • Install ewido.
  • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido
  • It will prompt you to update click the OK button and it will go to the main screen
  • On the left side of the main screen click update
  • Click on Start and let it update.
  • DO NOT run a scan yet. You will do that later in safe mode.

Click here for info on how to boot to safe mode if you don't already know how.


Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


Restart your computer into safe mode now. Perform the following steps in safe mode:


* Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop.[/b]

    Start CCleaner and click Run Cleaner


    Restart back into Windows normally now.

    Do a couple of on-line virus scans at these links:

    Housecall

    Panda Active Scan. Be sure to save the log it creates.


    Come back here and post a new HijackThis log, as well as the log from the Ewido and Panda scans.
 

garymalibog

Thread Starter
Joined
Jan 19, 2005
Messages
24
Finally managed to get back online.

Done as instructed here are the logs
Panda YIKES !!!
Incident Status Location

Adware:Adware/CWS.Yexe No disinfected C:\WINDOWS\svchost.exe
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Daily Weather Forecast
Adware:Adware/CWS No disinfected Windows Registry
Adware:Adware/CWS.Yexe No disinfected C:\WINDOWS\svchost.exe
Adware:Adware/ILookup No disinfected C:\Documents and Settings\Gary\Favorites\Gambling
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\PrevAdX.dll
Adware:Adware/ExactSearch No disinfected Windows Registry
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\System32\ztoolbar.bmp
Virus:Bck/Dumador.O Disinfected Operating system
Adware:Adware/Adsmart No disinfected C:\WINDOWS\System32\vx.tll
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\Games\Local Settings\Temporary Internet Files\Content.IE5\J2700WYD\sploit[1].anr
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\Games\Local Settings\Temporary Internet Files\Content.IE5\XM0I7B34\sploit[1].anr
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Leisure\Anime sites.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Leisure\Dating online.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Leisure\Favourite Web Cams.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Leisure\Flowers online.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Leisure\Home Business.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Leisure\Latest movies.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Leisure\Mobile ringtones.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Leisure\MP3 Archives.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Leisure\Music store.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Leisure\My horoscope.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Leisure\Online books market.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Leisure\Online shopping.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Leisure\Play online games.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Leisure\Swingers Evenings.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Leisure\Tabloids.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Leisure\Top rated video games.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Leisure\World Travels.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Security\Check new antiviruses.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Security\Data encryption.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Security\Free virus scan.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Security\Mail worms.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Security\PopUp Blocker.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Security\Protect your finances.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Security\Read about new viruses.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Security\Your personal firewall.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Sports\Auto racing.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Sports\Baseball news.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Sports\Basketball news.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Sports\Billiard.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Sports\Foosball.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Sports\Football news.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Sports\Hockey news.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Sports\Make a bet.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Sports\Water sport.url
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\Gary\Favorites\Sports\Winter sport.url
Virus:Trj/Downloader.DHI Disinfected C:\Documents and Settings\Gary\Local Settings\Temp\5.qtdfmp
Adware:Adware/AzeSearch No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\7OKPLH6F\loadppc[1].exe
Virus:Trj/Downloader.DIU Disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CDA3T3LJ\load01[1].exe
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Daily Weather Forecast\weather.exe
Adware:Adware/PopCapLoader No disinfected C:\Program Files\Security\HiJackThis\backups\backup-20050424-152007-798.inf
Adware:Adware/RazeSpyware No disinfected C:\Program Files\Security\MSAntispy\Quarantine\0B23CF68-66D1-4E62-B7BD-94F83C\07921439-9C93-4566-A99C-650C87
Adware:Adware/AzeSearch No disinfected C:\Program Files\Security\MSAntispy\Quarantine\5A436FC3-35F6-4A0D-8312-09A7F0\46E7F643-F4B9-46F5-B7CF-DB3BD9
Adware:Adware/RazeSpyware No disinfected C:\Program Files\Security\MSAntispy\Quarantine\735CF92F-34AE-4E69-B210-37B8E8\89495625-99DE-4D1E-AE05-DF0248
Adware:Adware/RazeSpyware No disinfected C:\Program Files\Security\MSAntispy\Quarantine\FFCD31B5-3AB5-49DE-ADAF-328880\9788EDE0-FCAD-46AF-95E8-DBB8CD
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\blank.mht
Adware:Adware/WinAD No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\PrevAdX.dll
Adware:Adware/WinAD No disinfected C:\WINDOWS\Downloaded Program Files\PrevAdX.dll
Adware:Adware/CWS.Yexe No disinfected C:\WINDOWS\svchost.exe
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050705-141508.backup
Adware:Adware/CWS.Loopback No disinfected C:\WINDOWS\system32\MHTA~1.EXE
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\vx.tll
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\vxh8jkdq1.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\vxh8jkdq6.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\system32\vxh8jkdq8.exe
Virus:Trj/Downloader.DIU Disinfected C:\WINDOWS\system32\winspooler.exe
Adware:Adware/RazeSpyware No disinfected C:\WINDOWS\system32\ztoolb002.dll
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\ztoolbar.bmp
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\system32\ztoolbar.xml
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\zsettings.dll
Possible Virus. No disinfected E:\HjSplit\hjsplit.exe
Possible Virus. No disinfected E:\HjSplit\hjsplit.zip[hjsplit.exe]
Possible Virus. No disinfected E:\Program Files\MOVIE JOINER\rmj.exe



EWIDO:
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 5:00:49 PM, 7/07/2005
+ Report-Checksum: 918080BF
+ Scan result:
No infected objects found.
 

garymalibog

Thread Starter
Joined
Jan 19, 2005
Messages
24
Logfile of HijackThis v1.99.1
Scan saved at 6:24:58 PM, on 7/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Security\AVG\avgamsvr.exe
C:\PROGRA~1\Security\AVG\avgupsvc.exe
C:\Program Files\Security\Ewido\security suite\ewidoctrl.exe
C:\Program Files\Security\Ewido\security suite\ewidoguard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Security\AVG\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Security\MSAntispy\gcasDtServ.exe
C:\Program Files\SKYPE\Phone\Skype.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Security\Kremlin\Kremlin Sentry.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\Security\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optusnet.com.au/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Security\Spybot\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Security\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Security\MSAntispy\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Skype] "C:\Program Files\SKYPE\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Startup: Kremlin Sentry.LNK = C:\Program Files\Security\Kremlin\Kremlin Sentry.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120410371968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F9D249E-A410-40BB-8CEB-0956D2B7D79B} (ClientAX Control) - http://www.camguest.com/activex/ClientAX.ocx
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/hVideoContol.cab
O16 - DPF: {BAA2D792-6F4E-4BCC-B7A0-24E19B2A9BA1} (Eyeball Video Mail Control) - http://imlive.com/ChatSource/hVideoContol.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Security\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Security\AVG\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Security\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Security\Ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,126
Click Here and download Killbox and save it to your desktop but don’t run it yet.



Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.


O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe


Then boot to safe mode:


How to restart to safe mode


Now configure your computer to show all hidden files and folders like so:

Go to Start - Search and under "More advanced search options", make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders."

Next, click on My Computer, Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders." Click "Apply" and then "OK."


Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.


C:\WINDOWS\svchost.exe

C:\WINDOWS\Downloaded Program Files\PrevAdX.dll

C:\WINDOWS\System32\ztoolbar.bmp

C:\WINDOWS\System32\vx.tll

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\7OKPLH6F\loadppc[1].exe

C:\Program Files\Daily Weather Forecast\weather.exe

C:\WINDOWS\blank.mht

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\PrevAdX.dll

C:\WINDOWS\Downloaded Program Files\PrevAdX.dll

C:\WINDOWS\svchost.exe

C:\WINDOWS\system32\MHTA~1.EXE

C:\WINDOWS\system32\vx.tll

C:\WINDOWS\system32\vxh8jkdq1.exe

C:\WINDOWS\system32\vxh8jkdq6.exe

C:\WINDOWS\system32\vxh8jkdq8.exe

C:\WINDOWS\system32\ztoolb002.dll

C:\WINDOWS\system32\ztoolbar.bmp

C:\WINDOWS\system32\ztoolbar.xml

C:\WINDOWS\zsettings.dll


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

Locate and delete this folder:

C:\Program Files\Daily Weather Forecast

Navigate to your favourites folder and delete all of the items mentioned in the Panda scan log.

Reboot and post another Hijack This log please.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top