1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

please help may have a virus

Discussion in 'Virus & Other Malware Removal' started by veribestteac, Jan 3, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. veribestteac

    veribestteac Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    67
    Logfile of HijackThis v1.99.1
    Scan saved at 7:30:59 AM, on 1/3/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\scvhost.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\Program Files\Common Files\Windows\services32.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\PROGRA~1\COMMON~1\uzrm\uzrmm.exe
    C:\PROGRA~1\COMMON~1\uzrm\uzrma.exe
    C:\WINDOWS\TWFyeSBFbGxlbiBQYXRl\command.exe
    C:\Program Files\Common Files\VCClient\VCClient.exe
    C:\Program Files\Common Files\VCClient\VCMain.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\rdso\eetu.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\webHancer\Programs\whAgent.exe
    C:\Program Files\webHancer\Programs\whSurvey.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\SYSTEM32\?ti2evxx.exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\WINDOWS\newfrn.exe
    C:\WINDOWS\system32\macromed\flash\GetFlash.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wcc.net/index2.shtml
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
    O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll
    O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
    O2 - BHO: (no name) - {DC7490F9-5C1D-5CEA-1046-2950A75536C4} - C:\WINDOWS\system32\oljif.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
    O4 - HKLM\..\Run: [\SWO] C:\WINDOWS\mrjj.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
    O4 - HKLM\..\Run: [0oqw0ct0.dll] RUNDLL32.EXE 0oqw0ct0.dll,b 251281562
    O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
    O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKLM\..\Run: [noC=] C:\WINDOWS\mrjj.exe
    O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - Global Startup: Image Transfer.lnk = ?
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.popuppers.com
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
    O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
    O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cab
    O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
    O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
    O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
    O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
    O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
    O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132578222656
    O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
    O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1...taller_activex_en_4.60.38.0_MEGAPANEL_USA.cab
    O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D9F8B928-9CA4-41B3-8641-3101E26F7854}: NameServer = 208.6.232.10,208.6.232.12
    O20 - AppInit_DLLs: repairs302972988.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWFyeSBFbGxlbiBQYXRl\command.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe
    O23 - Service: McAfee.com Personal Firewall Service (MpfService) - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    start with

    Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
    • Click the Free Trial link under "Downloads/SpySweeper" to download the program.
    • Install it. Once the program is installed, it will open.
    • It will prompt you to update to the latest definitions, click Yes.
    • Once the definitions are installed, click Options on the left side.
    • Click the Sweep Options tab.
    • Under What to Sweep please put a check next to the following:

      • [*]Sweep Memory
        [*]Sweep Registry
        [*]Sweep Cookies
        [*]Sweep All User Accounts
        [*]Enable Direct Disk Sweeping
        [*]Sweep Contents of Compressed Files
        [*]Sweep for Rootkits
      • Please UNCHECK Do not Sweep System Restore Folder.
    • Click Sweep Now on the left side.
    • Click the Start button.
    • When it's done scanning, click the Next button.
    • Make sure everything has a check next to it, then click the Next button.
    • It will remove all of the items found.
    • Click Session Log in the upper right corner, copy everything in that window.
    • Click the Summary tab and click Finish.
    • Paste the contents of the session log you copied into your next reply.
    Also post a new Hijack This log.
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    before running spysweeper

    download this and if you lose internet connection after spysweeper has done it's fixes then run it

    Download LSPfix here: http://www.cexx.org/lspfix.htm
    run the application. Just run it, you will see a list of files in the left hand pane and possibly some in the right hand pane. Do not change any of them, just tick the"I know what i'm doing" box & press finish and the program will do anything necessary

    ONLY run it if you lose internet connection though
     
  4. veribestteac

    veribestteac Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    67
    Logfile of HijackThis v1.99.1
    Scan saved at 7:56:51 PM, on 1/3/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINDOWS\scvhost.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\WINDOWS\system32\MsgSys.EXE
    c:\program files\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wcc.net/index2.shtml
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
    O4 - HKLM\..\Run: [0oqw0ct0.dll] RUNDLL32.EXE 0oqw0ct0.dll,b 251281562
    O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
    O4 - Global Startup: Image Transfer.lnk = ?
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.popuppers.com
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
    O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
    O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cab
    O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
    O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
    O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
    O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
    O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
    O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132578222656
    O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
    O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} - http://a14.g.akamai.net/f/14/7141/1...taller_activex_en_4.60.38.0_MEGAPANEL_USA.cab
    O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D9F8B928-9CA4-41B3-8641-3101E26F7854}: NameServer = 208.6.232.10,208.6.232.12
    O20 - Winlogon Notify: awvvt - awvvt.dll (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe
    O23 - Service: McAfee.com Personal Firewall Service (MpfService) - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



    The summary session of the spy sweeper is too large to post it will not let me post it in one post i willtry it in several posts.
     
  5. veribestteac

    veribestteac Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    67
    4:39 PM: HKLM\software\microsoft\windows\currentversion\uninstall\dh\ (2 subtraces) (ID = 1057035)
    4:39 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}\ (1 subtraces) (ID = 1057038)
    4:39 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/winats.dll\ (2 subtraces) (ID = 1066860)
    4:39 PM: Found Adware: commonname
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\internet keyword\ (9 subtraces) (ID = 106883)
    4:39 PM: Found Adware: bho_sep
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\sep\ (9 subtraces) (ID = 141642)
    4:39 PM: Found Adware: startpage obfuscated true-counter.com hijack
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\microsoft\internet explorer\ || search (ID = 142635)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\microsoft\internet explorer\ || searchurl (ID = 142636)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\microsoft\internet explorer\main\ || default_page_url (ID = 142638)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\microsoft\internet explorer\main\ || default_search_url (ID = 142639)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\microsoft\internet explorer\main\ || search bar (ID = 142640)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\microsoft\internet explorer\main\ || search page (ID = 142641)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\microsoft\internet explorer\search\ || searchassistant (ID = 142646)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\microsoft\internet explorer\search\ || customizesearch (ID = 142647)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1014\software\internet keyword\ (9 subtraces) (ID = 484608)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\ie config\ (17 subtraces) (ID = 105116)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\windows\currentversion\404updt\ (1 subtraces) (ID = 105129)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\windows\currentversion\updt\ (1 subtraces) (ID = 105189)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\{2cf0b992-5eeb-4143-99c0-5297ef71f444}\ (2 subtraces) (ID = 105190)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\internet keyword\ (11 subtraces) (ID = 106883)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\ist\ (1 subtraces) (ID = 129108)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\xbtb07618\ (60 subtraces) (ID = 134858)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\internet explorer\toolbar\webbrowser\ || {9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (ID = 135102)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\sep\ (9 subtraces) (ID = 141642)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\internet explorer\ || search (ID = 142635)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\internet explorer\ || searchurl (ID = 142636)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\internet explorer\main\ || default_page_url (ID = 142638)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\internet explorer\main\ || default_search_url (ID = 142639)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\internet explorer\search\ || searchassistant (ID = 142646)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\internet explorer\search\ || customizesearch (ID = 142647)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\zango\ (15 subtraces) (ID = 147919)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\internet keyword\ (11 subtraces) (ID = 484608)
    4:39 PM: Found Adware: sidesearch
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\director\ || baseurl (ID = 980277)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1013\software\microsoft\internet explorer\extensions\cmdmapping\ || {77fbf9b8-1d37-4ff2-9ced-192d8e3aba6f} (ID = 1021025)
    4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\ie config\ (17 subtraces) (ID = 105116)
    4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\microsoft\windows\currentversion\404updt\ (1 subtraces) (ID = 105129)
    4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\avenue media\ (ID = 128887)
    4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\xbtb07618\ (61 subtraces) (ID = 134858)
    4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\microsoft\internet explorer\toolbar\webbrowser\ || {9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (ID = 135102)
    4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\sep\ (9 subtraces) (ID = 141642)
    4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143403)
     
  6. veribestteac

    veribestteac Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    67
    4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\surfsidekick3\ (3 subtraces) (ID = 143412)
    4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\microsoft\internet explorer\urlsearchhooks\ || _{02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 165102)
    4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
    4:39 PM: HKU\S-1-5-21-1870295334-3289290226-2283807818-1012\software\microsoft\internet explorer\extensions\cmdmapping\ || {77fbf9b8-1d37-4ff2-9ced-192d8e3aba6f} (ID = 1021025)
    4:39 PM: Found Trojan Horse: 2nd-thought
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\stc\ (ID = 102020)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\ie config\ (17 subtraces) (ID = 105116)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\microsoft\windows\currentversion\404updt\ (1 subtraces) (ID = 105129)
    4:39 PM: Found Adware: childoleauto
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\microsoft\windows\currentversion\run\ || sr64 (ID = 105492)
    4:39 PM: Found Adware: clientman
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\microsoft\windows\currentversion\run\ || msmc (ID = 105911)
    4:39 PM: Found Adware: coolwebsearch (cws)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\microsoft\windows\currentversion\run\ || systime (ID = 112413)
    4:39 PM: Found Adware: cws-aboutblank
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\microsoft\internet explorer\main\ || search bar_bak (ID = 115924)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
    4:39 PM: Found Adware: elitebar
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\lq\ (10 subtraces) (ID = 125741)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\sep\ (9 subtraces) (ID = 141642)
    4:39 PM: Found Adware: websearch toolbar
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\toolbar\ (1 subtraces) (ID = 146513)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\toolbar\ (1 subtraces) (ID = 646239)
    4:39 PM: HKU\WRSS_Profile_S-1-5-21-1870295334-3289290226-2283807818-1011\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
    4:39 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || default_search_url (ID = 125236)
    4:39 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search bar (ID = 125237)
    4:39 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search page (ID = 125238)
    4:39 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || start page (ID = 125239)
    4:39 PM: HKU\S-1-5-18\software\ptech\ (7 subtraces) (ID = 125528)
    4:39 PM: HKU\S-1-5-18\software\avenue media\ (ID = 128887)
    4:39 PM: HKU\S-1-5-18\software\policies\avenue media\ (ID = 128928)
    4:39 PM: HKU\S-1-5-18\software\ist\ (4 subtraces) (ID = 129108)
    4:39 PM: Found Adware: lopdotcom
    4:39 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || aida (ID = 130496)
    4:39 PM: HKU\S-1-5-18\software\xbtb07618\ (60 subtraces) (ID = 134858)
    4:39 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (ID = 135102)
    4:39 PM: HKU\S-1-5-18\software\surfsidekick3\ (2 subtraces) (ID = 143412)
    4:39 PM: HKU\S-1-5-18\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
    4:39 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\policies\ameopt\ (ID = 654042)
    4:39 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search bar (ID = 790268)
    4:39 PM: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || default_search_url (ID = 790269)
    4:39 PM: HKU\S-1-5-18\software\director\ || baseurl (ID = 980277)
    4:39 PM: HKU\S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping\ || {77fbf9b8-1d37-4ff2-9ced-192d8e3aba6f} (ID = 1021025)
    4:39 PM: Registry Sweep Complete, Elapsed Time:00:01:11
    4:39 PM: Starting Cookie Sweep
    4:39 PM: Found Spy Cookie: 2o7.net cookie
    4:39 PM: emily [email protected][2].txt (ID = 1957)
    4:39 PM: Found Spy Cookie: yieldmanager cookie
    4:39 PM: emily [email protected][2].txt (ID = 3751)
    4:39 PM: Found Spy Cookie: adknowledge cookie
    4:39 PM: emily [email protected][1].txt (ID = 2072)
    4:39 PM: Found Spy Cookie: adlegend cookie
    4:39 PM: emily [email protected][1].txt (ID = 2074)
    4:39 PM: Found Spy Cookie: adrevolver cookie
    4:39 PM: emily [email protected][1].txt (ID = 2088)
    4:39 PM: emily [email protected][3].txt (ID = 2088)
    4:39 PM: Found Spy Cookie: ads.adsag cookie
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    That got rid of a lot so a bit more to do now

    first:
    download http://www.mvps.org/winhelp2002/DelDomains.inf and place it on desktop
    right click the file and select install, that will reset the zone settings that have been altered

    then
    go to start/run and type services.msc press OK
    when the screen opens scroll down to Local Security Authority Subsystem Service right click and select properties and then on that page press stop service and then set the start up type to disabled, press ok a few times to get back to windows

    be very careful to get the right one as there are several very similar named ones there and the others will be legitimate & needed

    now open HJT press config/misc tools and select delete an NT service

    paste this into the box & press OK

    lsass

    Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily


    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wcc.net/index2.shtml
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

    O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)

    O4 - HKLM\..\Run: [0oqw0ct0.dll] RUNDLL32.EXE 0oqw0ct0.dll,b 251281562
    O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe

    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.popuppers.com
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)


    O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
    O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} - http://a14.g.akamai.net/f/14/7141/1d...APANEL_USA.cab

    O20 - Winlogon Notify: awvvt - awvvt.dll (file missing)
    O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe


    now Start killbox, go to options on the top bar and make sure remove directories is enabled and remove duplicates is UNCHECKED paste the first file listed below into the full pathname and file to delete box

    The file name will appear in the window, select delet on reboot , press the red X button, say yes to the prompt and NO to reboot now then repeat for each file in turn

    [Note: Killbox makes backups of all deleted files & folders in a folder called C:\!killbox ] If Killbox tells you any files are missing don't worry but make a note and let us know in your next reply

    c:\\drsmartloadb.exe
    C:\WINDOWS\scvhost.exe
    C:\WINDOWS\system32\0oqw0ct0.dll

    Then on killbox top bar press tools/delete temp files, in the pop up box in the NT section select temp & temp internet & cookies only and in the 9x section select c:\windows\temp & c:\temp then on the drop down user account box, select your account, then repeat for every user account on the computer

    then reboot & post a fresh HJT log
     
  8. veribestteac

    veribestteac Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    67
    Logfile of HijackThis v1.99.1
    Scan saved at 7:39:10 PM, on 1/4/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\Program Files\hijackthis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
    O4 - Global Startup: Image Transfer.lnk = ?
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
    O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vto_x.cab
    O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
    O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
    O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
    O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
    O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
    O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132578222656
    O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D9F8B928-9CA4-41B3-8641-3101E26F7854}: NameServer = 208.6.232.10,208.6.232.12
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: McAfee.com Personal Firewall Service (MpfService) - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    That is looking better

    If it is running OK now then

    Turn off system restore by following instructions here
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

    go here http://forums.techguy.org/t208517/s.html for info on how to tighten your security settings and how to help prevent future attacks.

    and pay an urgent visit to windows update & make sure you are fully updated & get the bunch of new updates that are alleged to plug the security holes that let these pests on in the first place
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/430639

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice