1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

My hijack this log... (keep getting weird things installed)

Discussion in 'Virus & Other Malware Removal' started by camrael, Sep 12, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. camrael

    camrael Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    10
    My log... In a moment of weakness I installed some MP3 ripping shareware... :(


    Logfile of HijackThis v1.97.1
    Scan saved at 11:59:36 PM, on 9/11/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\system32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\system32\spoolsv.exe
    E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    E:\WINDOWS\Explorer.EXE
    E:\WINDOWS\System32\TrayIcon.exe
    E:\Program Files\Common Files\Symantec Shared\ccApp.exe
    E:\WINDOWS\System32\CTHELPER.EXE
    E:\Program Files\PestPatrol\PPControl.exe
    E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    E:\Program Files\Microsoft Hardware\Mouse\point32.exe
    E:\Program Files\Common Files\Real\Update_OB\realsched.exe
    E:\WINDOWS\System32\taskswitch.exe
    E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    E:\WINDOWS\System32\rundll32.exe
    E:\WINDOWS\System32\RUNDLL32.EXE
    E:\WINDOWS\System32\cisvc.exe
    E:\Program Files\Norton AntiVirus\navapsvc.exe
    E:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    E:\WINDOWS\System32\nvsvc32.exe
    E:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    E:\Program Files\Internet Explorer\iexplore.exe
    E:\WINDOWS\System32\cidaemon.exe
    E:\Documents and Settings\Cameron\Desktop\HijackThis.exe
    E:\Program Files\Messenger\msmsgs.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - E:\WINDOWS\bs3.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\windows\googletoolbar.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\windows\googletoolbar.dll
    O3 - Toolbar: (no name) - {E9407738-A996-421A-A309-5C93C699E10A} - (no file)
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [DisplayTrayIcon] E:\WINDOWS\System32\TrayIcon.exe
    O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "E:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] E:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [PestPatrol Control Center] E:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CoolSwitch] E:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [AdaptecDirectCD] E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Bsx3] RunDLL32.EXE E:\WINDOWS\bs3.dll,DllRun
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe E:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O8 - Extra context menu item: &Google Search - res://E:\WINDOWS\GoogleToolbar.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://E:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://E:\WINDOWS\GoogleToolbar.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://E:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://E:\WINDOWS\GoogleToolbar.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E2} (ShowSetupObj2 Class) - http://invite.mshow.com/ShowSetup2.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0244a7e4cffdfe430500/netzip/RdxIE601.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37737.6631481481
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3A661826-AB2A-49DA-803E-FCB65F8C3C57}: NameServer = 192.168.1.1
     
  2. Topkat

    Topkat

    Joined:
    Aug 10, 2003
    Messages:
    401
    The first thing I spotted seems to be the SOBIG.E virus I think?

    Do an online scan here:
    http://housecall.trendmicro.com/

    See what it shows up and remove anything if necessary.
    There's a bit to do so I hope you have some spare time!

    Then Go here http://www.lavasoftusa.com/software/adaware/ and download Adaware 6

    Install the program and launch it.

    I strongly recommend that you read the help file to familiarize yourself with the program.

    Before running the scan look at the top of the main window and you will see a Gear Icon. This is where you configure the settings. Click on that and then in the next window that pops up click on the "Scanning" tab on the left side. Under "Drives and Folders" put a check by "Scan within archives" and below that under "Memory and Registry" put a check by all the options there.
    The click on the "Tweak" tab and under "Scanning engine" put a check by "Unload recognized processes during scanning" ...........then......under "Cleaning engine" put a ckeck by "Automatically try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot" then click "Proceed"

    Next in the main window look in the bottom right corner and click on "Check for updates now" and get the latest referencefiles.
    After getting the latest referencefiles you are ready to scan.

    Click "Start" and in the next window make sure "Active in depth scanning" is checked then click "Next" and the scan will begin.

    When it is finished let it fix everything it finds.

    Restart your computer.

    Then go here http://spybot.eon.net.au/index.php?...p;page=download and download Spybot.

    Install the program and launch it.

    Before scanning press "Online" and "Search for Updates" .

    Put a check mark at and install all updates.

    Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

    Restart your computer.

    Be sure and take advantage of the "Immunize" feature in Spybot.

    Finally go here http://www.net-integration.net/cgi-...=ST;f=38;t=3051 for info on how this happens and how to prevent future attacks.
    On this page you will find a link to Javacool's SpywareBlaster. Get it and check for updates frequently.
    The Immunize feature in Spybot used in conjunction with SpywareBlaster and weekly scans with Spybot and Adaware will go a long way toward keeping you spyware free.

    IMPORTANT!: Alwayds check for updated detections and referencefiles before scanning with Spybot and Adaware.


    When you've finished with all that do another HT scan and post it back in this thread let us see if everything has worked out.
     
  3. Topkat

    Topkat

    Joined:
    Aug 10, 2003
    Messages:
    401
    Here's the link to the SoBig.E removal tool if it's there as I suspect.
     
  4. camrael

    camrael Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    10
    Thank you!

    I do run Anti-virus software with daily scans (I use Norton 2003) and daily updates, I also use Pest patrol.

    My main problem is using kazaa lite and downloading from kazaa...

    I think I may have to stop that, since I don't check email on this computer.

    Anyways I am running a trend micro scan now, and also have installed adware for next step.
     
  5. camrael

    camrael Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    10
    Ok, I ran virus scan, several hijack this, cleaned a few things for Ezula, Bargain.exe etc, also purchased Ad-aware plus and scanned several times cleaning each time...

    Here is both start up list and the latest Hijackthis report.

    Thanks!


    ===========





    StartupList report, 9/12/2003, 8:30:32 AM
    StartupList version: 1.52
    Started from : E:\Documents and Settings\Cameron\Desktop\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\system32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\system32\spoolsv.exe
    E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    E:\WINDOWS\Explorer.EXE
    E:\WINDOWS\System32\TrayIcon.exe
    E:\Program Files\Common Files\Symantec Shared\ccApp.exe
    E:\WINDOWS\System32\CTHELPER.EXE
    E:\Program Files\PestPatrol\PPControl.exe
    E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    E:\Program Files\Microsoft Hardware\Mouse\point32.exe
    E:\WINDOWS\System32\taskswitch.exe
    E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    E:\WINDOWS\uptodate.exe
    E:\WINDOWS\System32\RUNDLL32.EXE
    E:\Program Files\MSN Messenger\MsnMsgr.Exe
    E:\PROGRA~1\ezula\mmod.exe
    E:\WINDOWS\System32\cisvc.exe
    E:\Program Files\Norton AntiVirus\navapsvc.exe
    E:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    E:\WINDOWS\System32\nvsvc32.exe
    E:\Documents and Settings\Cameron\Desktop\HijackThis.exe
    E:\Program Files\Messenger\msmsgs.exe
    E:\WINDOWS\System32\cidaemon.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = E:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    nForce Tray Options = sstray.exe /r
    NvCplDaemon = RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
    nwiz = nwiz.exe /install
    DisplayTrayIcon = E:\WINDOWS\System32\TrayIcon.exe
    ccApp = "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    ccRegVfy = "E:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    Advanced Tools Check = E:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    WINDVDPatch = CTHELPER.EXE
    PestPatrol Control Center = E:\Program Files\PestPatrol\PPControl.exe
    PPMemCheck = E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    CookiePatrol = E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    POINTER = point32.exe
    QuickTime Task = "E:\Program Files\QuickTime\qttask.exe" -atboottime
    NeroCheck = E:\WINDOWS\System32\NeroCheck.exe
    CoolSwitch = E:\WINDOWS\System32\taskswitch.exe
    CTHelper = CTHELPER.EXE
    AsioReg = REGSVR32.EXE /S CTASIO.DLL
    AdaptecDirectCD = E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    mmtask = c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    EbatesMoeMoneyMaker = javaw -cp "E:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "E:\Program Files\EbatesMoeMoneyMaker"
    RunWindowsUpdate = E:\WINDOWS\uptodate.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    NvMediaCenter = RUNDLL32.EXE E:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    MsnMsgr = "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    --------------------------------------------------

    Shell & screensaver key from E:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=E:\WINDOWS\System32\3DWIND~1.SCR
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - e:\windows\googletoolbar.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
    NAV Helper - E:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Norton AntiVirus - Scan my computer.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [ShowSetupObj2 Class]
    InProcServer32 = E:\WINDOWS\Downloaded Program Files\ShowSetup2.dll
    CODEBASE = http://invite.mshow.com/ShowSetup2.dll

    [{41F17733-B041-4099-A042-B518BB6A408C}]
    CODEBASE = http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe

    [RdxIE Class]
    InProcServer32 = E:\WINDOWS\Downloaded Program Files\RdxIE.dll
    CODEBASE = http://207.188.7.150/0244a7e4cffdfe430500/netzip/RdxIE601.cab

    [HouseCall Control]
    InProcServer32 = E:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab

    [{8EDAD21C-3584-4E66-A8AB-EB0E5584767D}]
    CODEBASE = http://toolbar.google.com/data/GoogleActivate.cab

    [Update Class]
    InProcServer32 = E:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37737.6631481481

    [Shockwave Flash Object]
    InProcServer32 = E:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: E:\WINDOWS\system32\SHELL32.dll
    CDBurn: E:\WINDOWS\system32\SHELL32.dll
    WebCheck: E:\WINDOWS\System32\webcheck.dll
    SysTray: E:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 6,510 bytes
    Report generated in 0.032 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  6. camrael

    camrael Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    10
    Logfile of HijackThis v1.97.1
    Scan saved at 8:31:30 AM, on 9/12/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\system32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\system32\spoolsv.exe
    E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    E:\WINDOWS\Explorer.EXE
    E:\WINDOWS\System32\TrayIcon.exe
    E:\Program Files\Common Files\Symantec Shared\ccApp.exe
    E:\WINDOWS\System32\CTHELPER.EXE
    E:\Program Files\PestPatrol\PPControl.exe
    E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    E:\Program Files\Microsoft Hardware\Mouse\point32.exe
    E:\WINDOWS\System32\taskswitch.exe
    E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    E:\WINDOWS\uptodate.exe
    E:\WINDOWS\System32\RUNDLL32.EXE
    E:\Program Files\MSN Messenger\MsnMsgr.Exe
    E:\PROGRA~1\ezula\mmod.exe
    E:\WINDOWS\System32\cisvc.exe
    E:\Program Files\Norton AntiVirus\navapsvc.exe
    E:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    E:\WINDOWS\System32\nvsvc32.exe
    E:\Documents and Settings\Cameron\Desktop\HijackThis.exe
    E:\WINDOWS\System32\cidaemon.exe
    E:\WINDOWS\System32\notepad.exe
    E:\Program Files\Internet Explorer\iexplore.exe
    E:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\windows\googletoolbar.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\windows\googletoolbar.dll
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [DisplayTrayIcon] E:\WINDOWS\System32\TrayIcon.exe
    O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "E:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] E:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [PestPatrol Control Center] E:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] E:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] E:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [CoolSwitch] E:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [AdaptecDirectCD] E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] javaw -cp "E:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "E:\Program Files\EbatesMoeMoneyMaker"
    O4 - HKLM\..\Run: [RunWindowsUpdate] E:\WINDOWS\uptodate.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O8 - Extra context menu item: &Google Search - res://E:\WINDOWS\GoogleToolbar.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://E:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://E:\WINDOWS\GoogleToolbar.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://E:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://E:\WINDOWS\GoogleToolbar.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E2} (ShowSetupObj2 Class) - http://invite.mshow.com/ShowSetup2.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0244a7e4cffdfe430500/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37737.6631481481
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3A661826-AB2A-49DA-803E-FCB65F8C3C57}: NameServer = 192.168.1.1
     
  7. Topkat

    Topkat

    Joined:
    Aug 10, 2003
    Messages:
    401
    Although a lot of the rubbish has gone from your 2nd log that virus is still there. Although it's not the actual SoBig.E virus itself as I suspected, it is a virus related to it, and needs to be removed.
    Use the removal tool I posted to be on the safe side.

    I have also found a BrowserAid parasite.

    Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [RunWindowsUpdate] E:\WINDOWS\uptodate.exe

    Then reboot in safe mode (press F8 during start-up) and delete items in bold:

    c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    E:\WINDOWS\uptodate.exe


    Here's some info on both items if you're interested:
    mmtask.exe Added as a result of a VIRUS related to the SOBIG.E VIRUS!
    RunWindowsUpdate uptodate.exe BrowserAid/BrowserPal foistware
     
  8. camrael

    camrael Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    10
    Thanks, will look into this...
     
  9. normmork

    normmork

    Joined:
    Oct 4, 2002
    Messages:
    76
    BTW the way if you are using Kazaa then you will have also loaded all the other programs with it. Ad-aware will always find objects that you will have to Ignore.

    You might want to try Winmx and Shareaza
     
  10. camrael

    camrael Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    10
    I am using Kazaa light which I thought was better... I get a lot of virus warnings when downloading various apps... I think I will simply stop this and uninstall file sharing apps.
     
  11. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    add this one;
    O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] javaw -cp "E:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "E:\Program Files\EbatesMoeMoneyMaker"

    and this one:
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0244a7e4cffdfe...ip/RdxIE601.cab

    nothing wrong with kazaalite.........i use it all the time and i wouldnt if there were any security risks.......scan all downloads for virii.

    and i dont see a firewall running,you NEED one.
    ;)
     
  12. camrael

    camrael Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    10
    I use a hardware based firewall using NAT, should I also run something like the XP built in firewall or should I run something like Zonealarms etc?
     
  13. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    no....the hardware firewall is fine.............the xp one is not much good.

    is all ok now?
     
  14. camrael

    camrael Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    10
    Gonna fix it tonight after I get home :)
     
  15. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/164187

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice