1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Oh man, what do I do now??

Discussion in 'Virus & Other Malware Removal' started by TheWanderer, Aug 2, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. TheWanderer

    TheWanderer Thread Starter

    Joined:
    Aug 2, 2006
    Messages:
    18
    Hi!

    This is my first post here, never had anything like this happen to me and am quite at a loss.... I read some of the advice on here and installed ewido and spysweeper - already have (and ran) ad-aware, spybot and nod 32, but nothing helps... I'm not much of an expert even if I tried my best. Here goes...

    I have this thing called surfside on my computer, as well as commandservice, hijacker.agent.a and worm.vb.w (as found by various tools). I tried editing the registry, running all those spyware/antiviruses, removing these things from the start up menu, but everytime I restart the computer, my software find the same things! What shall I do now? There was a lot more stuff at the beginning but these tools took care of most of the problems but these are just sticky buggers. Help! Please!

    Tine
     
  2. cybarite

    cybarite

    Joined:
    Mar 28, 2006
    Messages:
    8
    Hi TheWanderer,

    You need to install HijackThis and post a log for the moderators/malware experts to see.

    Download HJTsetup.exe "http://www.thespykiller.co.uk/files/HJTsetup.exe"

    Save HJTsetup.exe to your desktop.
    Double click on the HJTsetup.exe icon on your desktop.
    By default it will install to C:\Program Files\Hijack This.
    Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    Put a check by Create a desktop icon then click Next again.
    Continue to follow the rest of the prompts from there.
    At the final dialogue box click Finish and it will launch Hijack This.
    Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    Click Save to save the log file and then the log will open in notepad.
    Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    Come back here to this thread and Paste the log in your next reply.
    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

    Hope this helps,


    Mathew

    P.S. The way to install HijackThis is taken from Cookiegal's standard format
     
  3. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
  4. TheWanderer

    TheWanderer Thread Starter

    Joined:
    Aug 2, 2006
    Messages:
    18
    Here is my hijackthis log file. I tried the combofix thing but it doesn't seem to be working...

    Logfile of HijackThis v1.99.1
    Scan saved at 12:18:07, on 2006-08-02
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Common Files\{29FD14C5-0965-1033-0209-061129050002}\Update.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\arservice.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\HP\KBD\KBD.EXE
    C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
    F2 - REG:system.ini: UserInit=userinit.exe
    O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"
    O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147100069125
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - AppInit_DLLs: repairs303169590.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    As I said, I ran ad-aware, then spybot, then my anti-virus (NOD-32), then ewido, then spysweeper.

    What shall I do now?
     
  5. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    <<doesn't seem to be working...>>

    That tells me nothing - where is its log?
     
  6. TheWanderer

    TheWanderer Thread Starter

    Joined:
    Aug 2, 2006
    Messages:
    18
    Exactly what I said, not working, no log, left it at it for an hour and nothing happened after I pressed y.
     
  7. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    DL it again and run it
     
  8. TheWanderer

    TheWanderer Thread Starter

    Joined:
    Aug 2, 2006
    Messages:
    18
    Okay, worked this time... Rebooted my computer and launched disk cleaner. Here's the log:

    Start Time= 2006-08-02 13:49:37,46
    Running from: C:\Documents and Settings\HP_Administrator\Desktop

    (((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Documents and Settings\HP_Administrator\Application Data\Sskdmns.dll
    C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Ssk.log
    C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[10].ssq
    C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[11].ssq
    C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[12].ssq
    C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[13].ssq
    C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[14].ssq
    C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[15].ssq
    C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[1].ssq
    C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[2].ssq
    C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[3].ssq
    C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[4].ssq
    C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[5].ssq
    C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[6].ssq
    C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[7].ssq
    C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[8].ssq
    C:\Program Files\Webroot\Spy Sweeper\Quarantine\ssk233[9].ssq
    C:\WINDOWS\system32\drivers\sskbfd.sys


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    C:\WINDOWS\system32\drivers\sskbfd.sys

    13:51:50,21
    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\keyboard1.dat


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2006-08-02 12:42:38 ( .D... ) "C:\Program Files\Picasa2"
    2006-08-02 01:38:08 ( .D... ) "C:\Program Files\Webroot"
    2006-08-02 01:38:08 ( .D... ) "C:\Documents and Settings\HP_Administrator\Application Data\Webroot"
    2006-08-01 19:45:40 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
    2006-08-01 17:20:36 270336 ( A.... ) "C:\WINDOWS\system32\imon.dll"
    2006-08-01 17:20:30 ( .D... ) "C:\Program Files\ESET"
    2006-08-01 16:50:32 61952 ( A.... ) "C:\WINDOWS\system32\rca70387.dll"
    2006-08-01 16:50:32 1167 ( A.... ) "C:\WINDOWS\system32\rca70387.sys"
    2006-08-01 16:50:32 1167 ( A.... ) "C:\WINDOWS\system32\rca70387.sys"
    2006-08-01 16:50:08 ( .D... ) "C:\Program Files\Common Files\wmzw"
    2006-08-01 16:48:02 ( .D... ) "C:\Program Files\Common Files\{29FD14C5-0965-1033-0209-061129050002}"
    2006-08-01 16:47:40 ( .DSH. ) "C:\Program Files\outlook"
    2006-07-30 10:32:50 ( .D... ) "C:\Program Files\Common Files\xing shared"
    2006-07-30 10:32:44 176167 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
    2006-07-30 10:32:40 278528 ( A.... ) "C:\WINDOWS\system32\pncrt.dll"
    2006-07-30 10:32:40 6656 ( A.... ) "C:\WINDOWS\system32\pndx5016.dll"
    2006-07-30 10:32:40 5632 ( A.... ) "C:\WINDOWS\system32\pndx5032.dll"
    2006-07-25 20:23:50 392 ( A.... ) "C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat"
    2006-07-07 16:54:10 252928 ( A.... ) "C:\WINDOWS\WRUninstall.dll"
    2006-07-07 16:53:54 208896 ( A.... ) "C:\WINDOWS\system32\WRLogonNtf.dll"
    2006-07-07 16:53:52 8704 ( A.... ) "C:\WINDOWS\system32\ssiefr.EXE"
    2006-07-07 16:53:50 20992 ( A.... ) "C:\WINDOWS\system32\wrlzma.dll"
    2006-07-06 07:59:36 ( .D... ) "C:\Program Files\TuneUp Utilities 2006"
    2006-07-06 07:59:02 ( .D... ) "C:\Program Files\Common Files\Wise Installation Wizard"
    2006-06-26 21:35:34 ( .D... ) "C:\Program Files\Heroes2"
    2006-06-20 13:13:00 ( .D... ) "C:\Documents and Settings\HP_Administrator\Application Data\HP"
    2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
    2006-06-16 14:34:44 48936 ( A.... ) "C:\WINDOWS\system32\sirenacm.dll"
    2006-05-19 08:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
    2006-05-19 08:59:42 111616 ( ..... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
    2006-05-19 08:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
    2006-05-15 15:37:18 12288 ( A.... ) "C:\WINDOWS\impborl.dll"
    2006-05-08 21:10:06 35067 ( A.... ) "C:\Documents and Settings\HP_Administrator\Application Data\PatchUpdate_HP_CounterReport_Update_HPSU.log"
    2006-05-08 21:09:56 2164 ( A.... ) "C:\Documents and Settings\HP_Administrator\Application Data\HPSU_48BitScanUpdate.log"
    2006-05-08 21:08:08 6543 ( A.... ) "C:\Documents and Settings\HP_Administrator\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log"
    2006-05-08 21:07:08 55430 ( A.... ) "C:\Documents and Settings\HP_Administrator\Application Data\Update_HP_RedboxHprblog_HPSU.log"
    2006-05-08 21:06:54 139264 ( A.... ) "C:\WINDOWS\system32\hpzjrd01.dll"


    (((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


    2006-08-02 01:39 208ÿ896 C:\WINDOWS\system32\WRLogonNtf.dll
    2006-08-02 01:38 8ÿ704 C:\WINDOWS\system32\ssiefr.EXE
    2006-08-02 01:38 684ÿ032 C:\WINDOWS\libeay32.dll
    2006-08-02 01:38 252ÿ928 C:\WINDOWS\WRUninstall.dll
    2006-08-02 01:38 20ÿ992 C:\WINDOWS\system32\wrlzma.dll
    2006-08-02 01:38 155ÿ648 C:\WINDOWS\ssleay32.dll
    2006-08-01 17:20 270ÿ336 C:\WINDOWS\system32\imon.dll
    2006-08-01 16:50 61ÿ952 C:\WINDOWS\system32\rca70387.dll
    2006-08-01 16:50 1ÿ167 C:\WINDOWS\system32\rca70387.sys
    2006-07-30 10:32 6ÿ656 C:\WINDOWS\system32\pndx5016.dll
    2006-07-30 10:32 5ÿ632 C:\WINDOWS\system32\pndx5032.dll
    2006-07-30 10:32 278ÿ528 C:\WINDOWS\system32\pncrt.dll
    2006-07-30 10:32 176ÿ167 C:\WINDOWS\system32\rmoc3260.dll
    2006-06-26 21:35 298ÿ496 C:\WINDOWS\uninst.exe
    2006-06-26 21:35 12ÿ800 C:\WINDOWS\system32\WING32.DLL


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
    "NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
    "RTHDCPL"="RTHDCPL.EXE"
    "Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
    "HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPwuSchd2.exe\""
    "itype"="\"C:\\Program Files\\Microsoft IntelliType Pro\\itype.exe\""
    "HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
    "!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
    "SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
    "Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
    "flags"=dword:00000008

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
    "{29FD14C5-0965-1033-0209-061129050002}"="\"C:\\Program Files\\Common Files\\{29FD14C5-0965-1033-0209-061129050002}\\Update.exe\" mc-110-12-0000140"

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
    "DeskHtmlVersion"=dword:00000110
    "DeskHtmlMinorVersion"=dword:00000005
    "Settings"=dword:00000001
    "GeneralFlags"=dword:00000000

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    "Source"="C:\\Program Files\\microsoft frontpage\\wolof.html"
    "SubscribedURL"=""
    "FriendlyName"=""
    "Flags"=dword:00002000
    "Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
    03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
    "CurrentState"=dword:40000001
    "OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
    00,00,01,00,00,00
    "RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
    "Source"="C:\\Program Files\\Internet Explorer\\tejecav.html"
    "SubscribedURL"=""
    "FriendlyName"=""
    "Flags"=dword:00002000
    "Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
    03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
    "CurrentState"=dword:40000001
    "OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
    00,00,01,00,00,00
    "RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"
    "Flags"=dword:00000002
    "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,ec,\
    03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState"=dword:40000004
    "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
    ff,ff,04,00,00,00
    "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
    00,00,01,00,00,00

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
    DisableRegistryTools REG_DWORD 0 (0x0)

    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService


    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\1-Click Maintenance.job
    C:\WINDOWS\tasks\Maintenance en 1 clic.job

    Completion time: 2006-08-02 13:51:55,31
    ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

    ComboFix.2006-08-02.121452.txt
    ComboFix.2006-08-02.134937.txt
     
  9. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Need the current hijack log
     
  10. TheWanderer

    TheWanderer Thread Starter

    Joined:
    Aug 2, 2006
    Messages:
    18
    Aye aye, here comes

    Logfile of HijackThis v1.99.1
    Scan saved at 14:09:43, on 2006-08-02
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\arservice.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\Program Files\Common Files\{29FD14C5-0965-1033-0209-061129050002}\Update.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\HP\KBD\KBD.EXE
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Picasa2\Picasa2.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=pavilion&pf=desktop
    F2 - REG:system.ini: UserInit=userinit.exe
    O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"
    O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKLM\..\Run: [Picasa Media Detector] "C:\Program Files\Picasa2\PicasaMediaDetector.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147100069125
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
     
  11. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Fix this with HJT – mark it, close IE, click fix checked

    O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program
    =====================

    Clean [​IMG] - If you feel it is fixed, mark it solved via thread tools above - if not what is the current situation?

    Restore points
    Turn off restore points, boot, turn them back on – here’s how

    XP
    http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam
     
  12. TheWanderer

    TheWanderer Thread Starter

    Joined:
    Aug 2, 2006
    Messages:
    18
    Thank you! What a life saver you are!

    I will run all the programs once more in case something else pops up.... should keep me busy for the rest of the afternoon! :)
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/488670

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice