1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Paytime.exe Hijack

Discussion in 'Virus & Other Malware Removal' started by tsheeley, Jan 4, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. tsheeley

    tsheeley Thread Starter

    Joined:
    Jan 4, 2006
    Messages:
    108
    Spy Sweeper found a bunch of items in my hosts file in the Alerts section, should I also remove those once the scan is finished?
     
  2. tsheeley

    tsheeley Thread Starter

    Joined:
    Jan 4, 2006
    Messages:
    108
    Spy Sweeper Log.... and fresh HJT log... I can't thank you enough for all the work you've put into helping me.

    ********
    12:15 PM: | Start of Session, Sunday, January 08, 2006 |
    12:15 PM: Spy Sweeper started
    12:15 PM: Sweep initiated using definitions version 597
    12:15 PM: Starting Memory Sweep
    12:18 PM: Memory Sweep Complete, Elapsed Time: 00:02:34
    12:18 PM: Starting Registry Sweep
    12:18 PM: Found Adware: screensavers
    12:18 PM: HKLM\software\microsoft\code store database\distribution units\{88d758a3-d33b-45fd-91e3-67749b4057fa}\ (9 subtraces) (ID = 140566)
    12:18 PM: Found Adware: screenscenes
    12:18 PM: HKU\S-1-5-21-1793127001-1713248487-1129344928-1006\software\screenscenes\ (ID = 723706)
    12:18 PM: Registry Sweep Complete, Elapsed Time:00:00:16
    12:18 PM: Starting Cookie Sweep
    12:18 PM: Found Spy Cookie: primaryads cookie
    12:18 PM: [email protected][2].txt (ID = 3190)
    12:18 PM: Found Spy Cookie: 2o7.net cookie
    12:18 PM: [email protected][1].txt (ID = 1957)
    12:18 PM: Found Spy Cookie: 64.62.232 cookie
    12:18 PM: [email protected][1].txt (ID = 1987)
    12:18 PM: [email protected][2].txt (ID = 1987)
    12:18 PM: Found Spy Cookie: reunion cookie
    12:18 PM: [email protected][1].txt (ID = 3256)
    12:18 PM: Found Spy Cookie: yieldmanager cookie
    12:18 PM: [email protected][1].txt (ID = 3751)
    12:18 PM: Found Spy Cookie: adknowledge cookie
    12:18 PM: [email protected][2].txt (ID = 2072)
    12:18 PM: Found Spy Cookie: adlegend cookie
    12:18 PM: [email protected][1].txt (ID = 2074)
    12:18 PM: Found Spy Cookie: specificclick.com cookie
    12:18 PM: [email protected][2].txt (ID = 3400)
    12:18 PM: Found Spy Cookie: adprofile cookie
    12:18 PM: [email protected][2].txt (ID = 2084)
    12:18 PM: Found Spy Cookie: nextag cookie
    12:18 PM: [email protected][1].txt (ID = 5015)
    12:18 PM: Found Spy Cookie: adrevolver cookie
    12:18 PM: [email protected][1].txt (ID = 2088)
    12:18 PM: [email protected][2].txt (ID = 2088)
    12:18 PM: Found Spy Cookie: addynamix cookie
    12:18 PM: [email protected][1].txt (ID = 2062)
    12:18 PM: Found Spy Cookie: pointroll cookie
    12:18 PM: [email protected][1].txt (ID = 3148)
    12:18 PM: Found Spy Cookie: adtech cookie
    12:18 PM: [email protected][2].txt (ID = 2155)
    12:18 PM: Found Spy Cookie: falkag cookie
    12:18 PM: [email protected][2].txt (ID = 2650)
    12:18 PM: Found Spy Cookie: askmen cookie
    12:18 PM: [email protected][2].txt (ID = 2247)
    12:18 PM: Found Spy Cookie: ask cookie
    12:18 PM: [email protected][1].txt (ID = 2245)
    12:18 PM: Found Spy Cookie: belnk cookie
    12:18 PM: [email protected][2].txt (ID = 2293)
    12:18 PM: Found Spy Cookie: atwola cookie
    12:18 PM: [email protected][1].txt (ID = 2255)
    12:18 PM: Found Spy Cookie: a cookie
    12:18 PM: [email protected][1].txt (ID = 2027)
    12:18 PM: Found Spy Cookie: banner cookie
    12:18 PM: [email protected][2].txt (ID = 2276)
    12:18 PM: [email protected][2].txt (ID = 2292)
    12:18 PM: Found Spy Cookie: bs.serving-sys cookie
    12:18 PM: [email protected][2].txt (ID = 2330)
    12:18 PM: Found Spy Cookie: enhance cookie
    12:18 PM: [email protected][1].txt (ID = 2614)
    12:18 PM: Found Spy Cookie: casalemedia cookie
    12:18 PM: [email protected][1].txt (ID = 2354)
    12:18 PM: [email protected][1].txt (ID = 1958)
    12:18 PM: Found Spy Cookie: 360i cookie
    12:18 PM: [email protected][2].txt (ID = 1962)
    12:18 PM: Found Spy Cookie: clickzs cookie
    12:18 PM: [email protected][2].txt (ID = 2413)
    12:18 PM: Found Spy Cookie: overture cookie
    12:18 PM: [email protected][1].txt (ID = 3106)
    12:18 PM: Found Spy Cookie: dealtime cookie
    12:18 PM: [email protected][1].txt (ID = 2505)
    12:18 PM: Found Spy Cookie: did-it cookie
    12:18 PM: [email protected][2].txt (ID = 2523)
    12:18 PM: [email protected][2].txt (ID = 2293)
    12:18 PM: Found Spy Cookie: ru4 cookie
    12:18 PM: [email protected][2].txt (ID = 3269)
    12:18 PM: Found Spy Cookie: engage cookie
    12:18 PM: [email protected][1].txt (ID = 2611)
    12:18 PM: Found Spy Cookie: wegcash cookie
    12:18 PM: [email protected][2].txt (ID = 3682)
    12:18 PM: Found Spy Cookie: gamespy cookie
    12:18 PM: [email protected][1].txt (ID = 2719)
    12:18 PM: Found Spy Cookie: go2net.com cookie
    12:18 PM: [email protected][1].txt (ID = 2730)
    12:18 PM: Found Spy Cookie: herfirstanalsex cookie
    12:18 PM: [email protected][2].txt (ID = 2769)
    12:18 PM: Found Spy Cookie: herfirstlesbiansex cookie
    12:18 PM: [email protected][2].txt (ID = 2771)
    12:18 PM: Found Spy Cookie: homestore cookie
    12:18 PM: [email protected][2].txt (ID = 2793)
    12:18 PM: Found Spy Cookie: ic-live cookie
    12:18 PM: [email protected][1].txt (ID = 2821)
    12:18 PM: Found Spy Cookie: infospace cookie
    12:18 PM: [email protected][1].txt (ID = 2865)
    12:18 PM: Found Spy Cookie: sb01 cookie
    12:18 PM: [email protected][2].txt (ID = 3288)
    12:18 PM: Found Spy Cookie: trb.com cookie
    12:18 PM: [email protected][2].txt (ID = 3588)
    12:18 PM: Found Spy Cookie: maxserving cookie
    12:18 PM: [email protected][1].txt (ID = 2966)
    12:18 PM: [email protected][1].txt (ID = 1958)
    12:18 PM: [email protected][1].txt (ID = 1958)
    12:18 PM: Found Spy Cookie: touchclarity cookie
    12:18 PM: [email protected][1].txt (ID = 3566)
    12:18 PM: [email protected][1].txt (ID = 1958)
    12:18 PM: Found Spy Cookie: mywebsearch cookie
    12:18 PM: [email protected][2].txt (ID = 3051)
    12:18 PM: Found Spy Cookie: aptimus cookie
    12:18 PM: [email protected][1].txt (ID = 2235)
    12:18 PM: [email protected][2].txt (ID = 5014)
    12:18 PM: Found Spy Cookie: paypopup cookie
    12:18 PM: [email protected][1].txt (ID = 3120)
    12:18 PM: Found Spy Cookie: pub cookie
    12:18 PM: [email protected][2].txt (ID = 3205)
    12:18 PM: Found Spy Cookie: questionmarket cookie
    12:18 PM: [email protected][1].txt (ID = 3217)
    12:18 PM: Found Spy Cookie: affiliatefuel.com cookie
    12:18 PM: [email protected][1].txt (ID = 2202)
    12:18 PM: Found Spy Cookie: realmedia cookie
    12:18 PM: [email protected][2].txt (ID = 3235)
    12:18 PM: [email protected][1].txt (ID = 3255)
    12:18 PM: Found Spy Cookie: revenue.net cookie
    12:18 PM: [email protected][1].txt (ID = 3257)
    12:18 PM: Found Spy Cookie: tvguide cookie
    12:18 PM: [email protected][1].txt (ID = 3600)
    12:18 PM: [email protected][1].txt (ID = 3600)
    12:18 PM: [email protected][1].txt (ID = 2650)
    12:18 PM: Found Spy Cookie: web-stat cookie
    12:18 PM: [email protected][1].txt (ID = 3649)
    12:18 PM: Found Spy Cookie: serving-sys cookie
    12:18 PM: [email protected][1].txt (ID = 3343)
    12:18 PM: Found Spy Cookie: sexsearch cookie
    12:18 PM: [email protected][2].txt (ID = 3357)
    12:18 PM: [email protected][2].txt (ID = 2506)
    12:18 PM: Found Spy Cookie: statcounter cookie
    12:18 PM: [email protected][1].txt (ID = 3447)
    12:18 PM: Found Spy Cookie: adjuggler cookie
    12:18 PM: [email protected][1].txt (ID = 2070)
    12:18 PM: [email protected][1].txt (ID = 3587)
    12:18 PM: Found Spy Cookie: tribalfusion cookie
    12:18 PM: [email protected][2].txt (ID = 3589)
    12:18 PM: [email protected][2].txt (ID = 3599)
    12:18 PM: [email protected][2].txt (ID = 2413)
    12:18 PM: Found Spy Cookie: webpower cookie
    12:18 PM: [email protected][2].txt (ID = 3660)
    12:18 PM: [email protected][1].txt (ID = 2248)
    12:18 PM: Found Spy Cookie: esurance cookie
    12:18 PM: [email protected][2].txt (ID = 2626)
    12:18 PM: [email protected][1].txt (ID = 3600)
    12:18 PM: Found Spy Cookie: seeq cookie
    12:18 PM: [email protected][1].txt (ID = 3332)
    12:18 PM: Found Spy Cookie: yadro cookie
    12:18 PM: [email protected][1].txt (ID = 3743)
    12:18 PM: Found Spy Cookie: adserver cookie
    12:18 PM: [email protected][1].txt (ID = 2142)
    12:18 PM: Found Spy Cookie: zedo cookie
    12:18 PM: [email protected][1].txt (ID = 3762)
    12:18 PM: Cookie Sweep Complete, Elapsed Time: 00:00:12
    12:18 PM: Starting File Sweep
    12:19 PM: Found Adware: gain - common components
    12:19 PM: a0021235.exe (ID = 164105)
    12:21 PM: Found Adware: java byteverify
    12:21 PM: blackbox.class-4fbc14ee-756f4a7b.class (ID = 64815)
    12:23 PM: Found Trojan Horse: trojan-backdoor-us15info
    12:23 PM: a0021478.exe (ID = 183857)
    12:23 PM: a0021479.exe (ID = 183857)
    12:23 PM: a0021480.exe (ID = 183857)
    12:24 PM: verifierbug.class-488fe19e-229438c2.class (ID = 64831)
    12:25 PM: kl.exe (ID = 215991)
    12:26 PM: Found Adware: spysheriff fakealert
    12:26 PM: tool2.exe (ID = 216176)
    12:32 PM: a0021236.exe (ID = 164105)
    12:32 PM: a0014953.scr (ID = 136818)
    12:33 PM: a0014949.exe (ID = 136789)
    12:34 PM: a0014959.exe (ID = 136830)
    12:37 PM: a0014950.exe (ID = 136787)
    12:38 PM: Found Adware: dollarrevenue
    12:38 PM: toolbar.exe (ID = 208556)
    12:38 PM: Found Trojan Horse: trojan-backdoor-securemulti
    12:38 PM: tool3.exe (ID = 206021)
    12:39 PM: Found Adware: spysheriff
    12:39 PM: secure32.html (ID = 184319)
    12:39 PM: secure32.html (ID = 184319)
    12:39 PM: Found Trojan Horse: trojan-downloader-passalert
    12:39 PM: a.exe (ID = 220514)
    12:39 PM: Warning: Failed to open file "c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\rp213\a0020984.exe". Access is denied
    12:40 PM: a0014952.exe (ID = 136786)
    12:42 PM: Found Adware: sexfiles dialers
    12:42 PM: dating.lnk (ID = 75396)
    12:42 PM: sinstaller.inf (ID = 74756)
    12:42 PM: dummy.class-393d648-3105e1df.class (ID = 64821)
    12:47 PM: Warning: Invalid Stream
    12:48 PM: File Sweep Complete, Elapsed Time: 00:29:35
    12:48 PM: Full Sweep has completed. Elapsed time 00:32:40
    12:48 PM: Traces Found: 115
    12:54 PM: Removal process initiated
    12:54 PM: Quarantining All Traces: spysheriff
    12:54 PM: Quarantining All Traces: trojan-backdoor-securemulti
    12:54 PM: Quarantining All Traces: trojan-backdoor-us15info
    12:54 PM: Quarantining All Traces: trojan-downloader-passalert
    12:54 PM: Quarantining All Traces: dollarrevenue
    12:54 PM: Quarantining All Traces: java byteverify
    12:54 PM: Quarantining All Traces: screensavers
    12:54 PM: Quarantining All Traces: sexfiles dialers
    12:54 PM: Quarantining All Traces: spysheriff fakealert
    12:54 PM: Quarantining All Traces: 2o7.net cookie
    12:54 PM: Quarantining All Traces: 360i cookie
    12:54 PM: Quarantining All Traces: 64.62.232 cookie
    12:54 PM: Quarantining All Traces: a cookie
    12:54 PM: Quarantining All Traces: addynamix cookie
    12:54 PM: Quarantining All Traces: adjuggler cookie
    12:54 PM: Quarantining All Traces: adknowledge cookie
    12:54 PM: Quarantining All Traces: adlegend cookie
    12:54 PM: Quarantining All Traces: adprofile cookie
    12:54 PM: Quarantining All Traces: adrevolver cookie
    12:54 PM: Quarantining All Traces: adserver cookie
    12:54 PM: Quarantining All Traces: adtech cookie
    12:54 PM: Quarantining All Traces: affiliatefuel.com cookie
    12:54 PM: Quarantining All Traces: aptimus cookie
    12:54 PM: Quarantining All Traces: ask cookie
    12:54 PM: Quarantining All Traces: askmen cookie
    12:54 PM: Quarantining All Traces: atwola cookie
    12:54 PM: Quarantining All Traces: banner cookie
    12:54 PM: Quarantining All Traces: belnk cookie
    12:54 PM: Quarantining All Traces: bs.serving-sys cookie
    12:54 PM: Quarantining All Traces: casalemedia cookie
    12:54 PM: Quarantining All Traces: clickzs cookie
    12:54 PM: Quarantining All Traces: dealtime cookie
    12:54 PM: Quarantining All Traces: did-it cookie
    12:54 PM: Quarantining All Traces: engage cookie
    12:54 PM: Quarantining All Traces: enhance cookie
    12:54 PM: Quarantining All Traces: esurance cookie
    12:54 PM: Quarantining All Traces: falkag cookie
    12:54 PM: Quarantining All Traces: gain - common components
    12:54 PM: Quarantining All Traces: gamespy cookie
    12:54 PM: Quarantining All Traces: go2net.com cookie
    12:54 PM: Quarantining All Traces: herfirstanalsex cookie
    12:54 PM: Quarantining All Traces: herfirstlesbiansex cookie
    12:54 PM: Quarantining All Traces: homestore cookie
    12:54 PM: Quarantining All Traces: ic-live cookie
    12:54 PM: Quarantining All Traces: infospace cookie
    12:54 PM: Quarantining All Traces: maxserving cookie
    12:54 PM: Quarantining All Traces: mywebsearch cookie
    12:54 PM: Quarantining All Traces: nextag cookie
    12:54 PM: Quarantining All Traces: overture cookie
    12:54 PM: Quarantining All Traces: paypopup cookie
    12:54 PM: Quarantining All Traces: pointroll cookie
    12:54 PM: Quarantining All Traces: primaryads cookie
    12:54 PM: Quarantining All Traces: pub cookie
    12:54 PM: Quarantining All Traces: questionmarket cookie
    12:54 PM: Quarantining All Traces: realmedia cookie
    12:54 PM: Quarantining All Traces: reunion cookie
    12:54 PM: Quarantining All Traces: revenue.net cookie
    12:54 PM: Quarantining All Traces: ru4 cookie
    12:54 PM: Quarantining All Traces: sb01 cookie
    12:54 PM: Quarantining All Traces: screenscenes
    12:54 PM: Quarantining All Traces: seeq cookie
    12:54 PM: Quarantining All Traces: serving-sys cookie
    12:54 PM: Quarantining All Traces: sexsearch cookie
    12:54 PM: Quarantining All Traces: specificclick.com cookie
    12:54 PM: Quarantining All Traces: statcounter cookie
    12:54 PM: Quarantining All Traces: touchclarity cookie
    12:54 PM: Quarantining All Traces: trb.com cookie
    12:54 PM: Quarantining All Traces: tribalfusion cookie
    12:54 PM: Quarantining All Traces: tvguide cookie
    12:54 PM: Quarantining All Traces: webpower cookie
    12:54 PM: Quarantining All Traces: web-stat cookie
    12:54 PM: Quarantining All Traces: wegcash cookie
    12:54 PM: Quarantining All Traces: yadro cookie
    12:54 PM: Quarantining All Traces: yieldmanager cookie
    12:54 PM: Quarantining All Traces: zedo cookie
    12:54 PM: Removal process completed. Elapsed time 00:00:18
    ********
    12:11 PM: | Start of Session, Sunday, January 08, 2006 |
    12:11 PM: Spy Sweeper started
    12:12 PM: Your spyware definitions have been updated.
    12:15 PM: | End of Session, Sunday, January 08, 2006 |




    Logfile of HijackThis v1.99.1
    Scan saved at 1:00:09 PM, on 1/8/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\progra~1\yahoo!\YCentral\YahooCentral.exe
    C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\WINDOWS\runservice.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/wdgt3/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/wdgt3/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/wdgt3/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/wdgt3/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/wdgt3/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/wdgt3/*http://www.yahoo.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [YCentral] c:\progra~1\yahoo!\YCentral\YahooCentral.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
    O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Tom\Start Menu\Programs\IMVU\Run IMVU.lnk
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
    O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.5.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119402825687
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123651631218
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} -
    O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
    O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8D79873B-D80D-4F56-B717-6C7EFCAF5A2E}: NameServer = 64.105.132.252 64.105.166.122
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,961
    First Name:
    Derek
    Spysweeper is normally accurate with what it finds in hosts files so unless YOU have put the entries there and they would then normally show in a HJT log I wouldlet SS fix it

    after it has done the fixes

    Removing Java trojans That your antivirus has found
    If you still are using JAVA 1.4 or earlier
    open control panel, select java plug in control panel, select cache and then press clear cache

    That gets rid of the trojans
    If you are using 1.5 version it's slightly different so read here

    http://www.java.com/en/download/help/5000020300.xml

    then

    Turn off system restore by following instructions here
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

    go here http://forums.techguy.org/t208517/s.html for info on how to tighten your security settings and how to help prevent future attacks.

    and pay an urgent visit to windows update & make sure you are fully updated & get the bunch of new updates that are alleged to plug the security holes that let these pests on in the first place
     
  4. tsheeley

    tsheeley Thread Starter

    Joined:
    Jan 4, 2006
    Messages:
    108
    I let SS take care of the host issues... then set the host file to write protect and had the start page locked from being changed. Since SS was only a 14 day trial I uninstalled it now that we're done with it... then I killed the Java cache.

    Did full virus scan with AVG now that it works again... full AdAware scan... full Spybot scan... turned off System Restore... did the reboot... SR back on, and manually made a restore point.

    I think... we've got it all fixed. Everything seems to be running smooth again. Thank you so much for your help Derek... per your message sig, when I have the money to spare I will be making a donation to say thank you. :cool:
     
  5. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/430926

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice