1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Trojan.dialer.qs help!!

Discussion in 'Virus & Other Malware Removal' started by love2k, Aug 11, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. love2k

    love2k Thread Starter

    Joined:
    Aug 9, 2006
    Messages:
    15
    As I was trying to get rid of my sysprotect popup, another problem altogether, I downloaded Ewido and it keeps on saying I have this dialer problem.

    PLEASE HELP!!

    Here is my HJT log - thank you in advance:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:14:17 AM, on 8/11/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\mobile PhoneTools\WatchDog.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Common Files\{DC0BA0AA-0640-1033-1024-010109280001}\Update.exe
    C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Nelson\LOCALS~1\Temp\Rar$EX00.656\KillBox.exe
    C:\Documents and Settings\Nelson\My Documents\My Videos\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [4f9c3796.exe] C:\Documents and Settings\Nelson\Local Settings\Application Data\4f9c3796.exe
    O4 - HKCU\..\Run: [Oueu] "C:\DOCUME~1\Nelson\MYDOCU~1\SEMBLY~1\winspool.exe" -vt yazr
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {61CFB8D4-E042-4FBE-87F8-A494F7208936} - C:\WINDOWS\System32\IEDriver\td.exe (file missing)
    O9 - Extra 'Tools' menuitem: TurboDownload - {61CFB8D4-E042-4FBE-87F8-A494F7208936} - C:\WINDOWS\System32\IEDriver\td.exe (file missing)
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
    O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_03) -
    O18 - Protocol: bw+0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw+0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: bwg0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwg0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0s - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: offline-8876480 - {BB47E79E-56B6-4293-A870-BB7636C6E638} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    hi, welcome to TSG.

    go to add/remove and uninstall desktop messenge and viewpointmanager.

    go to where you have installed hijcack this and right click it, choose rename and choose hijack.that then run hijack this again and post a new log as the hijacker you have won't show if it is called hijackthis.exe
     
  3. love2k

    love2k Thread Starter

    Joined:
    Aug 9, 2006
    Messages:
    15
    Thanks. Done. Here is the new HJT Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 7:34:20 AM, on 8/11/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\mobile PhoneTools\WatchDog.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Common Files\{DC0BA0AA-0640-1033-1024-010109280001}\Update.exe
    C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\Documents and Settings\Nelson\My Documents\My Videos\HijackThat.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
    O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {7097C9DC-E7AC-4071-868D-E744943F385B} - C:\WINDOWS\system32\ddayy.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [4f9c3796.exe] C:\Documents and Settings\Nelson\Local Settings\Application Data\4f9c3796.exe
    O4 - HKCU\..\Run: [Oueu] "C:\DOCUME~1\Nelson\MYDOCU~1\SEMBLY~1\winspool.exe" -vt yazr
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {61CFB8D4-E042-4FBE-87F8-A494F7208936} - C:\WINDOWS\System32\IEDriver\td.exe (file missing)
    O9 - Extra 'Tools' menuitem: TurboDownload - {61CFB8D4-E042-4FBE-87F8-A494F7208936} - C:\WINDOWS\System32\IEDriver\td.exe (file missing)
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
    O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_03) -
    O20 - Winlogon Notify: ddayy - C:\WINDOWS\system32\ddayy.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winhab32 - C:\WINDOWS\SYSTEM32\winhab32.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  4. love2k

    love2k Thread Starter

    Joined:
    Aug 9, 2006
    Messages:
    15
    I have been trying to use HJT and Ewido in trying to fix my problem. I've generated updated logs, can anyone please take a look. I would appreciate any help I could get. Thank you for your time.

    Logfile of HijackThis v1.99.1
    Scan saved at 11:08:31 PM, on 8/11/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\mobile PhoneTools\WatchDog.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Common Files\{DC0BA0AA-0640-1033-1024-010109280001}\Update.exe
    C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Nelson\My Documents\My Videos\HijackThat.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
    O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {BCE97C69-9984-452B-8E93-F9BECAB3CF3D} - C:\WINDOWS\system32\ddayy.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [4f9c3796.exe] C:\Documents and Settings\Nelson\Local Settings\Application Data\4f9c3796.exe
    O4 - HKCU\..\Run: [Oueu] "C:\DOCUME~1\Nelson\MYDOCU~1\SEMBLY~1\winspool.exe" -vt yazr
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
    O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_03) -
    O20 - Winlogon Notify: ddayy - C:\WINDOWS\system32\ddayy.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    Here is my ewido log:

    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 10:44:37 PM 8/11/2006

    + Scan result:



    C:\WINDOWS\system32\xxyaayv.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
    C:\Documents and Settings\Nelson\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][1].txt -> TrackingCookie.Adbrite : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][2].txt -> TrackingCookie.Belstat : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][1].txt -> TrackingCookie.Clickzs : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][1].txt -> TrackingCookie.Com : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][1].txt -> TrackingCookie.Liveperson : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][1].txt -> TrackingCookie.Masterstats : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][1].txt -> TrackingCookie.Reliablestats : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][1].txt -> TrackingCookie.Statcounter : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][2].txt -> TrackingCookie.Targetnet : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][1].txt -> TrackingCookie.Tradedoubler : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][1].txt -> TrackingCookie.Trafficmp : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][1].txt -> TrackingCookie.Trafic : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][2].txt -> TrackingCookie.Tribalfusion : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.
    C:\Documents and Settings\Nelson\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Cleaned.
    C:\WINDOWS\Temp\win264C.tmp.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).


    ::Report end

    Is there anything else I can do??
     
  5. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Hi, I got your PM. Khazars may have missed your reply.

    Download and run VundoFix: http://www.atribune.org/ccount/click.php?id=4
    Double-click VundoFix.exe to run it.
    Put a check next to Run VundoFix as a task.
    You will receive a message saying vundofix will close and re-open in a minute or less. Click OK.
    When VundoFix re-opens, click the Scan for Vundo button.
    Once it's done scanning, click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files, click YES.
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will shutdown your computer, click OK.
    Turn your computer back on.
    Please post the contents of C:\vundofix.txt and a new HijackThis log.
     
  6. love2k

    love2k Thread Starter

    Joined:
    Aug 9, 2006
    Messages:
    15
    Thank you so much for helping me.

    Here is the Vundo log:

    VundoFix V5.1.7

    Running as SYSTEM
    from c:\windows\system32\VundoFix.exe

    Checking Java version...

    Java version is 1.5.0.6

    Scan started at 3:11:05 PM 8/9/2006

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...

    VundoFix V5.1.7

    Checking Java version...

    Java version is 1.5.0.6

    Scan started at 10:54:18 PM 8/11/2006

    Listing files found while scanning....

    No infected files were found.


    VundoFix V5.1.7

    Running as SYSTEM
    from c:\windows\system32\VundoFix.exe

    Checking Java version...

    Java version is 1.5.0.6

    Scan started at 11:45:03 PM 8/11/2006

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...

    I did have an old JAVA version previously installed but updated mine when perusing the threads here. Not sure if there is an even more updated version.

    Here is the updated HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:57:18 PM, on 8/11/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\mobile PhoneTools\WatchDog.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Common Files\{DC0BA0AA-0640-1033-1024-010109280001}\Update.exe
    C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Nelson\My Documents\My Videos\HijackThat.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca
    O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {BCE97C69-9984-452B-8E93-F9BECAB3CF3D} - C:\WINDOWS\system32\ddayy.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [4f9c3796.exe] C:\Documents and Settings\Nelson\Local Settings\Application Data\4f9c3796.exe
    O4 - HKCU\..\Run: [Oueu] "C:\DOCUME~1\Nelson\MYDOCU~1\SEMBLY~1\winspool.exe" -vt yazr
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
    O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_03) -
    O20 - Winlogon Notify: ddayy - C:\WINDOWS\system32\ddayy.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    I'm no expert (that's why I'm here) but I've been trying to get rid of the \system32\ddayy.dll by using killbox but it's still there. Perhaps I'm not using it properly.

    Thanks again.
     
  7. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    KillBox won't usually remove it. We will have to use Avenger. But please do this first:
    * Click here to download Webroot SpySweeper.

    (It's a 2 week trial.)

    * Click the Free Trial link under "SpySweeper" to download the program.
    * Install it. Once the program is installed, it will open.
    * It will prompt you to update to the latest definitions, click Yes.
    * Once the definitions are installed, click Options on the left side.
    * Click the Sweep Options tab.
    * Under What to Sweep please put a check next to the following:
    o Sweep Memory
    o Sweep Registry
    o Sweep Cookies
    o Sweep All User Accounts
    o Enable Direct Disk Sweeping
    o Sweep Contents of Compressed Files
    o Sweep for Rootkits

    o Please UNCHECK Do not Sweep System Restore Folder.

    * Click Sweep Now on the left side.
    * Click the Start button.
    * When it's done scanning, click the Next button.
    * Make sure everything has a check next to it, then click the Next button.
    * It will remove all of the items found.
    * Click Session Log in the upper right corner, copy everything in that window.
    * Click the Summary tab and click Finish.
    * Paste the contents of the session log you copied into your next reply.

    Also post a new Hijack This log.
     
  8. love2k

    love2k Thread Starter

    Joined:
    Aug 9, 2006
    Messages:
    15
    Here is the Spysweeper log: (don't know if this is of any significance, but as it was running, Norton picked up several infected files it could not repair - \TEMP\tmp73.tmp,\TEMP\tmp74.tmp, \system32\winhab32.dll, and several others in the Norton folder also.)

    8:02 AM: Removal process completed. Elapsed time 00:02:25
    8:02 AM: A reboot was required but declined.
    8:02 AM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST1A4.tmp". Reason: The system cannot find the file specified
    8:02 AM: Warning: Failed to delete profile shadow file ".log". Reason: The system cannot find the file specified
    8:02 AM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST1A4.tmp". Reason: The system cannot find the file specified
    8:02 AM: Warning: Failed to delete profile shadow file ".log". Reason: The system cannot find the file specified
    8:01 AM: Quarantining All Traces: touchclarity cookie
    8:01 AM: Quarantining All Traces: webpower cookie
    8:01 AM: Quarantining All Traces: trb.com cookie
    8:01 AM: Quarantining All Traces: statcounter cookie
    8:01 AM: Quarantining All Traces: spylog cookie
    8:01 AM: Quarantining All Traces: directtrack cookie
    8:01 AM: Quarantining All Traces: servlet cookie
    8:01 AM: Quarantining All Traces: rn11 cookie
    8:01 AM: Quarantining All Traces: danni cookie
    8:01 AM: Quarantining All Traces: imlive.com cookie
    8:01 AM: Quarantining All Traces: passion cookie
    8:01 AM: Quarantining All Traces: partypoker cookie
    8:01 AM: Quarantining All Traces: mrskin cookie
    8:01 AM: Quarantining All Traces: metareward.com cookie
    8:01 AM: Quarantining All Traces: kinghost cookie
    8:01 AM: Quarantining All Traces: ic-live cookie
    8:01 AM: Quarantining All Traces: howstuffworks cookie
    8:01 AM: Quarantining All Traces: hotlog cookie
    8:01 AM: Quarantining All Traces: gamespy cookie
    8:01 AM: Quarantining All Traces: dealtime cookie
    8:01 AM: Quarantining All Traces: bizrate cookie
    8:01 AM: Quarantining All Traces: azjmp cookie
    8:01 AM: Quarantining All Traces: atlas dmt cookie
    8:01 AM: Quarantining All Traces: askmen cookie
    8:01 AM: Quarantining All Traces: adultfriendfinder cookie
    8:01 AM: Quarantining All Traces: hbmediapro cookie
    8:01 AM: Quarantining All Traces: adknowledge cookie
    8:01 AM: Quarantining All Traces: adecn cookie
    8:01 AM: Quarantining All Traces: websponsors cookie
    8:01 AM: Quarantining All Traces: yadro cookie
    8:01 AM: Quarantining All Traces: xiti cookie
    8:01 AM: Quarantining All Traces: screensavers.com cookie
    8:01 AM: Quarantining All Traces: myaffiliateprogram.com cookie
    8:01 AM: Quarantining All Traces: clickzs cookie
    8:01 AM: Quarantining All Traces: tacoda cookie
    8:01 AM: Quarantining All Traces: stlyrics cookie
    8:01 AM: Quarantining All Traces: starware.com cookie
    8:01 AM: Quarantining All Traces: [email protected] cookie
    8:01 AM: Quarantining All Traces: sympaticoca cookie
    8:01 AM: Quarantining All Traces: domainsponsor cookie
    8:01 AM: Quarantining All Traces: nextag cookie
    8:01 AM: Quarantining All Traces: linkexchange cookie
    8:01 AM: Quarantining All Traces: exitexchange cookie
    8:01 AM: Quarantining All Traces: go.com cookie
    8:01 AM: Quarantining All Traces: did-it cookie
    8:01 AM: Quarantining All Traces: 360i cookie
    8:01 AM: Quarantining All Traces: 2o7.net cookie
    8:01 AM: Quarantining All Traces: ccbill cookie
    8:01 AM: Quarantining All Traces: gostats cookie
    8:01 AM: Quarantining All Traces: belnk cookie
    8:01 AM: Quarantining All Traces: banner cookie
    8:01 AM: Quarantining All Traces: a cookie
    8:01 AM: Quarantining All Traces: atwola cookie
    8:01 AM: Quarantining All Traces: ask cookie
    8:01 AM: Quarantining All Traces: bpath cookie
    8:01 AM: Quarantining All Traces: gorillanation cookie
    8:01 AM: Quarantining All Traces: specificclick.com cookie
    8:01 AM: Quarantining All Traces: yieldmanager cookie
    8:01 AM: Quarantining All Traces: about cookie
    8:01 AM: Quarantining All Traces: commonname
    8:01 AM: Quarantining All Traces: limeshop
    8:01 AM: Quarantining All Traces: comet cursor
    8:01 AM: Quarantining All Traces: isearch toolbar
    8:01 AM: Quarantining All Traces: maxifiles
    8:01 AM: Quarantining All Traces: trojan agent winlogonhook
    8:01 AM: C:\WINDOWS\system32\ddayy.dll is in use. It will be removed on reboot.
    8:01 AM: virtumonde is in use. It will be removed on reboot.
    8:01 AM: Quarantining All Traces: virtumonde
    8:00 AM: Removal process initiated
    1:21 AM: Traces Found: 103
    1:21 AM: Full Sweep has completed. Elapsed time 00:56:00
    1:21 AM: File Sweep Complete, Elapsed Time: 00:48:55
    1:11 AM: Warning: Failed to access drive G:
    1:11 AM: Warning: Failed to access drive F:
    1:05 AM: C:\WINDOWS\system32\winnet.ini (ID = 53846)
    1:05 AM: Found Adware: commonname
    12:50 AM: Warning: PerformFileOffsetMatch Failed to check file "c:\documents and settings\nelson\local settings\temp\temporary internet files\content.ie5\y97494ry\l2[1].exe". "c:\documents and settings\nelson\local settings\temp\temporary internet files\content.ie5\y97494ry\l2[1].exe": File not found
    12:41 AM: C:\Documents and Settings\murdles\Local Settings\Temp\unpack\inst43.exe (ID = 53579)
    12:41 AM: Found Adware: comet cursor
    12:34 AM: Warning: PerformFileOffsetMatch Failed to check file "c:\documents and settings\nelson\local settings\temp\wine6.tmp.exe". "c:\documents and settings\nelson\local settings\temp\wine6.tmp.exe": File not found
    12:32 AM: Starting File Sweep
    12:32 AM: Warning: Failed to access drive A:
    12:32 AM: Cookie Sweep Complete, Elapsed Time: 00:00:15
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 3717)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 3484)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 3021)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 3566)
    12:32 AM: Found Spy Cookie: touchclarity cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 3660)
    12:32 AM: Found Spy Cookie: webpower cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 3587)
    12:32 AM: Found Spy Cookie: trb.com cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 3447)
    12:32 AM: Found Spy Cookie: statcounter cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 2506)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 3415)
    12:32 AM: Found Spy Cookie: spylog cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 2528)
    12:32 AM: Found Spy Cookie: directtrack cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 3345)
    12:32 AM: Found Spy Cookie: servlet cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 2038)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 3261)
    12:32 AM: Found Spy Cookie: rn11 cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 2494)
    12:32 AM: Found Spy Cookie: danni cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 2844)
    12:32 AM: Found Spy Cookie: imlive.com cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 3113)
    12:32 AM: Found Spy Cookie: passion cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 3111)
    12:32 AM: Found Spy Cookie: partypoker cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 5014)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 3020)
    12:32 AM: Found Spy Cookie: mrskin cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 2729)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 2990)
    12:32 AM: Found Spy Cookie: metareward.com cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 2038)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 2038)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 2903)
    12:32 AM: Found Spy Cookie: kinghost cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 2821)
    12:32 AM: Found Spy Cookie: ic-live cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 2805)
    12:32 AM: Found Spy Cookie: howstuffworks cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 2801)
    12:32 AM: Found Spy Cookie: hotlog cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 2728)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 2719)
    12:32 AM: Found Spy Cookie: gamespy cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 2038)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 2038)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 2293)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 2523)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 2505)
    12:32 AM: Found Spy Cookie: dealtime cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 1962)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 2369)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 2308)
    12:32 AM: Found Spy Cookie: bizrate cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 2292)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 2027)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 2270)
    12:32 AM: Found Spy Cookie: azjmp cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 2255)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 2253)
    12:32 AM: Found Spy Cookie: atlas dmt cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 2245)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 2247)
    12:32 AM: Found Spy Cookie: askmen cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 2165)
    12:32 AM: Found Spy Cookie: adultfriendfinder cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 2768)
    12:32 AM: Found Spy Cookie: hbmediapro cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 2072)
    12:32 AM: Found Spy Cookie: adknowledge cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 2063)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][1].txt (ID = 2064)
    12:32 AM: Found Spy Cookie: adecn cookie
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 2037)
    12:32 AM: c:\documents and settings\nelson\cookies\[email protected][2].txt (ID = 3665)
    12:32 AM: Found Spy Cookie: websponsors cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 3743)
    12:31 AM: Found Spy Cookie: yadro cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 3717)
    12:31 AM: Found Spy Cookie: xiti cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 3298)
    12:31 AM: Found Spy Cookie: screensavers.com cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 3032)
    12:31 AM: Found Spy Cookie: myaffiliateprogram.com cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][2].txt (ID = 2413)
    12:31 AM: Found Spy Cookie: clickzs cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 1958)
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 1958)
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][2].txt (ID = 2038)
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 6444)
    12:31 AM: Found Spy Cookie: tacoda cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 3483)
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 3461)
    12:31 AM: Found Spy Cookie: stlyrics cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 3441)
    12:31 AM: Found Spy Cookie: starware.com cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][2].txt (ID = 3367)
    12:31 AM: Found Spy Cookie: [email protected] cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 3484)
    12:31 AM: Found Spy Cookie: sympaticoca cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 2534)
    12:31 AM: Found Spy Cookie: domainsponsor cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 2729)
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 1958)
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][2].txt (ID = 5014)
    12:31 AM: Found Spy Cookie: nextag cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 2729)
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 1958)
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][2].txt (ID = 2920)
    12:31 AM: Found Spy Cookie: linkexchange cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][2].txt (ID = 2729)
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 2728)
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][2].txt (ID = 2038)
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][2].txt (ID = 2633)
    12:31 AM: Found Spy Cookie: exitexchange cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][2].txt (ID = 2293)
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][2].txt (ID = 2729)
    12:31 AM: Found Spy Cookie: go.com cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 2523)
    12:31 AM: Found Spy Cookie: did-it cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 1962)
    12:31 AM: Found Spy Cookie: 360i cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 1958)
    12:31 AM: Found Spy Cookie: 2o7.net cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 2369)
    12:31 AM: Found Spy Cookie: ccbill cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 2038)
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][2].txt (ID = 2748)
    12:31 AM: Found Spy Cookie: gostats cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 2292)
    12:31 AM: Found Spy Cookie: belnk cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 2276)
    12:31 AM: Found Spy Cookie: banner cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][2].txt (ID = 2027)
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 2027)
    12:31 AM: Found Spy Cookie: a cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 2255)
    12:31 AM: Found Spy Cookie: atwola cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 2245)
    12:31 AM: Found Spy Cookie: ask cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][2].txt (ID = 2321)
    12:31 AM: Found Spy Cookie: bpath cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][1].txt (ID = 2744)
    12:31 AM: Found Spy Cookie: gorillanation cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][2].txt (ID = 3400)
    12:31 AM: Found Spy Cookie: specificclick.com cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][2].txt (ID = 3751)
    12:31 AM: Found Spy Cookie: yieldmanager cookie
    12:31 AM: c:\documents and settings\murdles\cookies\[email protected][2].txt (ID = 2037)
    12:31 AM: Found Spy Cookie: about cookie
    12:31 AM: Starting Cookie Sweep
    12:31 AM: Registry Sweep Complete, Elapsed Time:00:00:45
    12:31 AM: HKU\S-1-5-21-329068152-1897051121-725345543-1004\software\microsoft\internet explorer\toolbar\webbrowser\ || {cbcc61fa-0221-4ccc-b409-cee865caca3a} (ID = 1530952)
    12:31 AM: HKU\WRSS_Profile_S-1-5-21-329068152-1897051121-725345543-1005\software\microsoft\internet explorer\menuext\limeshop preferences\ (ID = 129724)
    12:31 AM: Found Adware: limeshop
    12:31 AM: HKU\WRSS_Profile_S-1-5-21-329068152-1897051121-725345543-1005\software\microsoft\internet explorer\extensions\cmdmapping\ || {1a00c40b-da85-4aa3-a67f-582d9347eecd} (ID = 129028)
    12:31 AM: Found Adware: isearch toolbar
    12:31 AM: HKLM\software\microsoft\windows\currentversion\uninstall\toolbar888\ (ID = 1498367)
    12:31 AM: Found Adware: maxifiles
    12:31 AM: HKLM\software\microsoft\mssmgr\ (ID = 937101)
    12:31 AM: Found Trojan Horse: trojan agent winlogonhook
    12:30 AM: Starting Registry Sweep
    12:30 AM: Memory Sweep Complete, Elapsed Time: 00:05:40
    12:26 AM: Detected running threat: C:\WINDOWS\system32\ddayy.dll (ID = 394)
    12:26 AM: Found Adware: virtumonde
    12:25 AM: Starting Memory Sweep
    12:25 AM: Sweep initiated using definitions version 739
    12:25 AM: Spy Sweeper 5.0.5.1286 started
    12:25 AM: | Start of Session, Saturday, August 12, 2006 |
    ********
    12:25 AM: | End of Session, Saturday, August 12, 2006 |
    12:23 AM: Your definitions are up to date.
    12:22 AM: Your spyware definitions have been updated.
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    12:19 AM: Shield States
    12:18 AM: Spyware Definitions: 691
    12:17 AM: Spy Sweeper 5.0.5.1286 started
    12:17 AM: Spy Sweeper 5.0.5.1286 started
    12:17 AM: | Start of Session, Saturday, August 12, 2006 |
    ********

    Here is new HJT log (dday.dll deleted by spysweeper?)

    Logfile of HijackThis v1.99.1
    Scan saved at 8:26:12 AM, on 8/12/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\mobile PhoneTools\WatchDog.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Common Files\{DC0BA0AA-0640-1033-1024-010109280001}\Update.exe
    C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Nelson\My Documents\My Videos\HijackThat.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [AHQInit] "C:\Program Files\Creative\SBLive\Program\AHQInit.exe"
    O4 - HKLM\..\Run: [AudioHQ] "C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE"
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Ink Monitor] "C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
    O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [4f9c3796.exe] C:\Documents and Settings\Nelson\Local Settings\Application Data\4f9c3796.exe
    O4 - HKCU\..\Run: [Oueu] "C:\DOCUME~1\Nelson\MYDOCU~1\SEMBLY~1\winspool.exe" -vt yazr
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
    O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_03) -
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    Thank you again!!
     
  9. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    cheers cheesy, I'lll help this along a bit more!


    spysweeper.

    Before you proceed with the removal directions below you need to turn off SpySweeper's realtime protection as it will interfere with the changes we are trying to make.

    Open Spysweeper and click on Options > Program Options.
    Uncheck "load at windows startup".
    On the left click "shields" and then uncheck everything there.
    Uncheck "home page shield".
    Uncheck "automatically restore default without notification".
    Exit the program.
    Leave it disabled until we are finished here.



    Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find Ewido
    Right click and choose "Properties". On the "General" tab under "Service
    Status" click the "Stop" button to stop the service. Beside "Startup Type"
    in the dropdown menu select "Disabled". Click Apply then OK. Exit the
    Services utility.

    Note: You may get an error here when trying to access the properties of the
    service. If you do get an error, just select the service and look there in
    the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


    You can re-enable this after you are clean!



    * Go to Control Panel > Internet Options. On the General tab under
    "Temporary Internet Files" Click "Delete Files". Put a check by "Delete
    Offline Content" and click OK. Click on the "Delete Cookies" button to clear
    the cookies.



    Download the pocket killbox

    http://www.bleepingcomputer.com/files/killbox.php



    * Click here to download ATF Cleaner by Atribune and save it to your desktop.

    http://majorgeeks.com/ATF_Cleaner_d4949.html


    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.
    o If you use Firefox:
    + Click Firefox at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    o If you use Opera:
    + Click Opera at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    * Click Exit on the Main menu to close the program.



    have hijack this fix these entries. close all browsers and programmes before
    clicking FIX.



    O4 - HKCU\..\Run: [4f9c3796.exe] C:\Documents and Settings\Nelson\Local Settings\Application Data\4f9c3796.exe
    O4 - HKCU\..\Run: [Oueu] "C:\DOCUME~1\Nelson\MYDOCU~1\SEMBLY~1\winspool.exe" -vt yazr
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123
    O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_03) -



    Double-click on Killbox.exe to run it. Now put a tick by Delete on
    Reboot. In the "Full Path of File to Delete" box, copy and paste each
    of the following lines one at a time then click on the button that has
    the red circle with the X in the middle after you enter each file.
    It will ask for confimation to delete the file on next reboot. Click
    Yes. It will then ask if you want to reboot now. Click No. Continue
    with that same procedure until you have copied and pasted all of
    these in the "Paste Full Path of File to Delete" box.Then click yes
    to reboot after you entered the last one.


    Note: It is possible that Killbox will tell you that one or more files do not
    exist. If that happens, just continue on with all the files. Be sure you
    don't miss any.


    C:\Program Files\Common Files\{DC0BA0AA-0640-1033-1024-010109280001}\Update.exe
    C:\Documents and Settings\Nelson\Local Settings\Application Data\4f9c3796.exe
    C:\DOCUME~1\Nelson\MYDOCU~1\SEMBLY~1\winspool.exe
    C:\DOCUME~1\Nelson\MYDOCU~1\SEMBLY~1




    go to this site and download these tools and once you get both
    adaware Se 1.6 and spybot, update both of them.

    Set adaware to do a full system scan and deselect, "search for neglible risk
    entries". Click next to start the scan. Delete everything adaware finds.

    reboot and now run spybot

    Spybot: Search and destroy.

    Delete what spybot finds marked in red. After updating spybot hit the
    immunize button.



    Download Superantispyware.

    http://www.superantispyware.com/


    Once downloaded and installed update the defintions
    and then run a full system scan quarantine what it finds!



    All tools can be downloaded at the link below and found on that page!

    . SUPERAntiSpyware
    . SpyBot search and destroy
    . AdAware SE personal


    http://www.majorgeeks.com/downloads31.html


    post another log
     
  10. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    All yours buddy :)
     
  11. love2k

    love2k Thread Starter

    Joined:
    Aug 9, 2006
    Messages:
    15
    Thanks khazars! Ok, I've gone through all the scans (took awhile) and here is my new HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:08:05 AM, on 8/13/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\mobile PhoneTools\WatchDog.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Nelson\Desktop\HijackThat.exe
    C:\DOCUME~1\Nelson\LOCALS~1\Temp\SSUPDATE.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [AHQInit] "C:\Program Files\Creative\SBLive\Program\AHQInit.exe"
    O4 - HKLM\..\Run: [AudioHQ] "C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE"
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Ink Monitor] "C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
    O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
    O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    (Don't know if this is of any importance but as Adaware was running, Norton displayed a Trojan message for \system32\winhab32.dll - but it never came up again on subsequent scans)

    Thanks for all you help so far.
     
  12. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    clean log!


    ok, to make sure that file is gone do this! if killbox says the file is not there then it means its gone!


    Download the pocket killbox

    http://www.bleepingcomputer.com/files/killbox.php


    Double-click on Killbox.exe to run it. Now put a tick by Delete on
    Reboot. In the "Full Path of File to Delete" box, copy and paste each
    of the following lines one at a time then click on the button that has
    the red circle with the X in the middle after you enter each file.
    It will ask for confimation to delete the file on next reboot. Click
    Yes. It will then ask if you want to reboot now. Click No. Continue
    with that same procedure until you have copied and pasted all of
    these in the "Paste Full Path of File to Delete" box.Then click yes
    to reboot after you entered the last one.


    Note: It is possible that Killbox will tell you that one or more files do not
    exist. If that happens, just continue on with all the files. Be sure you
    don't miss any.



    C:\WINDOWS\system32\winhab32.dll




    You should now turn off system restore to flush out the bad restore points and
    then re-enable it and make a new clean restore point.


    How to turn off system restore

    http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam


    http://support.microsoft.com/default.aspx?scid=kb;[LN];310405




    Here's some free tools to keep you from getting infected in the future.


    To stop reinfection get spywareblaster from


    http://www.javacoolsoftware.com/downloads.html


    get the hosts file from here.Unzip it to a folder!



    http://www.mvps.org/winhelp2002/hosts.htm


    put it into : or click the mvps bat and it should do it for you!


    Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
    Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
    Win 98\ME = C:\WINDOWS



    ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

    when you visit innocent-looking sites that aren't actually innocent at all.

    http://www.spywarewarrior.com/uiuc/resource.htm


    Arovax shield: stop your computer from being hijacked!

    http://www.arovaxshield.com/



    Use spybot's immunize button and use spywareblaster' enable
    protection once you update it. you can put spybot's hosts file into
    your own and lock it.



    I would also suggest switching to Mozilla's firefox browser, it's safer, has
    a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is also a good
    e-mail client.

    http://www.mozilla.org/


    Another good and free browser is Opera!

    http://www.opera.com/


    Read here to see how to tighten your security:

    http://forums.techguy.org/t208517.html


    A good overall guide for firewalls, anti-virus, and anti-trojans as well as
    regular spyware cleaners.

    http://www.firewallguide.com/anti-trojan.htm



    you can mark your own thread solved through thread tools at the top of
    the page.
     
  13. love2k

    love2k Thread Starter

    Joined:
    Aug 9, 2006
    Messages:
    15
    things seem to be working better so far.

    Again, thanks so much khazars and Cheeseball. I've taken all the precautions you've recommended, and more...

    I'll be making a donation to the site. Thank you again!
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,009
    As this issue is resolved, I'm closing this thread. If you need it reopened, please contact me or one of the other Moderators.

    Anyone else with a similar problem, please start a new thread.
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/491330

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice