1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Trojan Help

Discussion in 'Virus & Other Malware Removal' started by Joanne4, Jan 28, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Joanne4

    Joanne4 Thread Starter

    Joined:
    Jan 28, 2005
    Messages:
    21
    Please bear with me as I have no clue what I am talking about.
    My computer was left unprotected for a little while and during this time a trojan horse got into my system. Spybot can detect it but cant remove all of it, so everytime I log on to the internet the virus comes back. After a while it just keeps dc me from the inernet. Also when I login to msn I start getting dc straight away, so I am wondering if the virus is in my msn set up.

    So can someone please help me fix this

    P.S I now have spybot, AVG free edition, Mc fee, and Trend Micro PC-cillin on my computer. Only spybot can pick the trojan up
     
  2. wdm2291

    wdm2291

    Joined:
    Nov 4, 2004
    Messages:
    403
    Hi Joanne,

    Are all of your anti malware programs up to date? (AVG, Spybot, etc,) - meaning, have you updated them from the internet lately? If not, you should.

    Also, go here and download the latest version of "Hijack This":

    http://spywareinfo.com/~merijn/files/HijackThis.exe

    Create a folder for it on your desktop called "HijackThis" prior to downloading it, and save it into there.

    Then open it and click "do a system scan and save a logfile"

    save that log to a Notepad file and then cut and paste that log right back here into this same thread and someone will have a look at it, maybe it will offer more clues to your problems.


    Wayne
     
  3. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    One other item joanne4 where is the location that you are getting for the trojan horse?
     
  4. Joanne4

    Joanne4 Thread Starter

    Joined:
    Jan 28, 2005
    Messages:
    21
    Yes I am always updating the programs from the internet. Where do I open the new folder for HighjackThis?

    These are the results from spybot Sorry dont know what I am doing

    Windows AdTools: Data (File, nothing done)
    C:\WINDOWS\system32\ide21201.vxd

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-21-3123544685-2554053112-3821863535-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    eBates MoneyMaker: IE menu extension (Registry key, nothing done)
    HKEY_USERS\S-1-5-21-3123544685-2554053112-3821863535-1006\Software\Microsoft\Internet Explorer\MenuExt\Ebates

    FunWebProducts: Settings (Registry key, nothing done)
    HKEY_USERS\S-1-5-18\Software\Fun Web Products

    FunWebProducts: Settings (Registry key, nothing done)
    HKEY_USERS\S-1-5-20\Software\Fun Web Products

    FunWebProducts: Settings (Registry key, nothing done)
    HKEY_USERS\S-1-5-19\Software\Fun Web Products

    FunWebProducts: Settings (Registry key, nothing done)
    HKEY_USERS\.DEFAULT\Software\Fun Web Products


    --- Spybot - Search && Destroy version: 1.3 ---
    2004-11-29 Includes\Cookies.sbi
    2004-12-15 Includes\Dialer.sbi
    2004-12-16 Includes\Hijackers.sbi
    2004-12-15 Includes\Keyloggers.sbi
    2004-05-12 Includes\LSP.sbi
    2004-12-15 Includes\Malware.sbi
    2004-11-29 Includes\Revision.sbi
    2004-11-29 Includes\Security.sbi
    2004-12-16 Includes\Spybots.sbi
    2004-11-29 Includes\Tracks.uti
    2004-12-15 Includes\Trojans.sbi
     
  5. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    Click My Computer, then C:\
    In the menu bar, File->New->Folder.
    That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.


    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.

    Someone here will be happy to help you analyze the results.


    Go to control panel, add/remove programs and remove these if they are listed

    WinAdTools

    FunWebProducts
     
  6. Joanne4

    Joanne4 Thread Starter

    Joined:
    Jan 28, 2005
    Messages:
    21
    Is this right

    Logfile of HijackThis v1.99.0
    Scan saved at 00:39:43, on 29/01/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Admanager Controller\AdManCtl.exe
    C:\Program Files\Admanager Controller\AdManKeep.exe
    C:\Program Files\Trend Micro\Internet Security\pccguide.exe
    C:\Program Files\Trend Micro\Internet Security\PCClient.exe
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Program Files\AOL 7.0a\aoltray.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\AOL 7.0a\waol.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
    C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\NoteTab Light\NoteTab.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.webtvparty.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.webtvparty.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.shopnav.com/search/9886/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.myway.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.webtvparty.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webtvparty.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.webtvparty.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.webtvparty.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shopnav.com/search/9886/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
    O2 - BHO: (no name) - {C7141AA8-4110-4F47-ACF5-6C509313CDE7} - C:\WINDOWS\System32\klbda2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {CBED15CF-7977-4257-8471-B6747F4540ED} - (no file)
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [HPCDRW Reminder] "C:\Program Files\HP CD-Writer\support\webreg\Navbrowser.exe" /r /i "C:\Program Files\HP CD-Writer\support\webreg\NavLoad.ini"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
    O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [st-0ukk00007] c:\program files\Webdialer\st-0ukk00007.exe -m
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
    O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
    O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0a\aoltray.exe
    O4 - Global Startup: BitDefender for MSN Messenger.lnk = C:\Program Files\Softwin\BitDefender for MSN Messenger\msnmon.exe
    O4 - Global Startup: BitDefender_P2P_Startup.lnk = C:\WINDOWS\BitDefender_P2P_Startup.exe
    O4 - Global Startup: Easy-PrintToolBox.lnk = C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (HKCU)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O16 - DPF: {0873478E-E67A-4876-B0A9-9A36D3AB3602} (vviewer control) - http://www.thepaymentcentre.com/build/vviewer.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c46.cab
    O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {B80F9FCE-DFDD-4A2A-8AA9-E05C6B7D4ED3} (SWToolBar Class) - http://www.smileyworld.com/toolbar/SmileyWorld.cab
    O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://gxb.nastydollars.com/gxplugin/gxbplug.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B5CECE4B-500F-42C8-8992-4C7D9F5816A2}: NameServer = 202.67.65.134
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVSync Manager - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    O23 - Service: HP Configuration Interface Service - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
    O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    O23 - Service: Trend Micro Personal Firewall - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    O23 - Service: Trend NT Realtime Service - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    O23 - Service: Trend Micro Proxy Service - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi Joanne4, Welcome to TSG!!

    You need to get down to one anti virus program. Decide which one you want to keep and remove the other or take it out of startup.

    Download AdAware SE Personal: http://www.lavasoftusa.com/support/download/

    Install the program and launch it.

    On the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

    In the main window: Click Start and under Select a scan Mode tick Perform full system scan.

    Deselect Search for negligible risk entries.

    To start the scan, click the Next button.

    When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

    Reboot and post another log.
     
  8. Joanne4

    Joanne4 Thread Starter

    Joined:
    Jan 28, 2005
    Messages:
    21
    Here it is

    Ad-Aware SE Build 1.05
    Logfile Created on:31 January 2005 11:14:23
    Created with Ad-Aware SE Personal, free for private use.
    Using definitions file:SE1R26 25.01.2005
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    References detected during the scan:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Adsincontext(TAC index:6):1 total references
    BargainBuddy(TAC index:8):4 total references
    Gigatech Superbar(TAC index:5):2 total references
    ShopNav Hijacker(TAC index:8):3 total references
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Ad-Aware SE Settings
    ===========================
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep-scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan my Hosts file

    Extended Ad-Aware SE Settings
    ===========================
    Set : Unload recognized processes & modules during scan
    Set : Scan registry for all users instead of current user only
    Set : Always try to unload modules before deletion
    Set : During removal, unload Explorer and IE if necessary
    Set : Let Windows remove files in use at next reboot
    Set : Delete quarantined objects after restoring
    Set : Include basic Ad-Aware settings in log file
    Set : Include additional Ad-Aware settings in log file
    Set : Include reference summary in log file
    Set : Include alternate data stream details in log file
    Set : Play sound at scan completion if scan locates critical objects


    31-01-2005 11:14:23 - Scan started. (Full System Scan)

    Listing running processes
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ProcessID : 572
    ThreadCreationTime : 31-01-2005 11:11:05
    BasePriority : Normal


    #:2 [csrss.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ProcessID : 624
    ThreadCreationTime : 31-01-2005 11:11:12
    BasePriority : Normal


    #:3 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ProcessID : 648
    ThreadCreationTime : 31-01-2005 11:11:15
    BasePriority : High


    #:4 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 692
    ThreadCreationTime : 31-01-2005 11:11:19
    BasePriority : Normal
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : services.exe

    #:5 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 704
    ThreadCreationTime : 31-01-2005 11:11:19
    BasePriority : Normal
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : lsass.exe

    #:6 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 864
    ThreadCreationTime : 31-01-2005 11:11:25
    BasePriority : Normal
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:7 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 908
    ThreadCreationTime : 31-01-2005 11:11:26
    BasePriority : Normal
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:8 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 1036
    ThreadCreationTime : 31-01-2005 11:11:28
    BasePriority : Normal
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:9 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 1060
    ThreadCreationTime : 31-01-2005 11:11:28
    BasePriority : Normal
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:10 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 1236
    ThreadCreationTime : 31-01-2005 11:11:31
    BasePriority : Normal
    FileVersion : 5.1.2600.0 (XPClient.010817-1148)
    ProductVersion : 5.1.2600.0
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : spoolsv.exe

    #:11 [hpconfig.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 1360
    ThreadCreationTime : 31-01-2005 11:11:32
    BasePriority : Normal
    FileVersion : 3, 0, 1, 8
    ProductVersion : 3, 0, 1, 8
    ProductName : HPConfig Module
    CompanyName : Hewlett-Packard
    FileDescription : HPConfig Module
    InternalName : HPConfig
    LegalCopyright : Hewlett-Packard Copyright (C) 1999-2002
    OriginalFilename : HPConfig.EXE
    Comments : HP Configuration Interface Service

    #:12 [hpwirelessmgr.exe]
    FilePath : C:\Program Files\HPQ\Notebook Utilities\
    ProcessID : 1392
    ThreadCreationTime : 31-01-2005 11:11:32
    BasePriority : Normal
    FileVersion : 1, 0, 0, 6
    ProductVersion : 1, 0, 0, 6
    ProductName : HPWirelessMgr Module
    CompanyName : Hewlett-Packard Co.
    FileDescription : HPWirelessMgr Module
    InternalName : HPWirelessMgr
    LegalCopyright : Hewlett-Packard Copyright 2002
    OriginalFilename : HPWirelessMgr.EXE
    Comments : HP Wireless On/Off Button Service

    #:13 [mdm.exe]
    FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
    ProcessID : 1428
    ThreadCreationTime : 31-01-2005 11:11:32
    BasePriority : Normal
    FileVersion : 7.00.9064.9150
    ProductVersion : 7.00.9064.9150
    ProductName : Microsoft Development Environment
    CompanyName : Microsoft Corporation
    FileDescription : Machine Debug Manager
    InternalName : mdm.exe
    LegalCopyright : Copyright (C) Microsoft Corp. 1997-2000
    OriginalFilename : mdm.exe

    #:14 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 1472
    ThreadCreationTime : 31-01-2005 11:11:33
    BasePriority : Normal
    FileVersion : 5.1.2600.0 (xpclient.010817-1148)
    ProductVersion : 5.1.2600.0
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:15 [wanmpsvc.exe]
    FilePath : C:\WINDOWS\
    ProcessID : 1508
    ThreadCreationTime : 31-01-2005 11:11:34
    BasePriority : Normal
    FileVersion : 7, 0, 0, 2
    ProductVersion : 7, 0, 0, 2
    ProductName : America Online
    CompanyName : America Online, Inc.
    FileDescription : Wan Miniport (ATW) Service
    InternalName : WanMPSvc
    LegalCopyright : Copyright © 2001 America Online, Inc.
    OriginalFilename : WanMPSvc.exe

    #:16 [explorer.exe]
    FilePath : C:\WINDOWS\
    ProcessID : 1808
    ThreadCreationTime : 31-01-2005 11:12:14
    BasePriority : Normal
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : EXPLORER.EXE

    #:17 [carpserv.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 1936
    ThreadCreationTime : 31-01-2005 11:12:26
    BasePriority : Normal
    FileVersion : 5.03.09.00
    ProductVersion : 5.03.09.00
    ProductName : Conexant carpserv
    CompanyName : Conexant Systems
    FileDescription : carpserv
    InternalName : carpserv
    LegalCopyright : Copyright© Conexant Systems, Inc. 2002
    OriginalFilename : carpserv.exe

    #:18 [wuauclt.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 1964
    ThreadCreationTime : 31-01-2005 11:12:27
    BasePriority : Normal
    FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
    ProductVersion : 5.4.3790.2182
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Automatic Updates
    InternalName : wuauclt.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : wuauclt.exe

    #:19 [onetouch.exe]
    FilePath : C:\PROGRA~1\HPQ\ONE-TO~1\
    ProcessID : 2044
    ThreadCreationTime : 31-01-2005 11:12:29
    BasePriority : Normal
    FileVersion : 1.6.3.0
    ProductVersion : 1.6.3.0
    ProductName : Dritek System Inc. OneTouch 10.05.2002 ( VC60 )
    CompanyName : Dritek System Inc.
    FileDescription : One-Touch
    InternalName : OneTouch
    LegalCopyright : Copyright © 2002 Dritek System Inc.
    OriginalFilename : OneTouch.exe

    #:20 [syntplpr.exe]
    FilePath : C:\Program Files\Synaptics\SynTP\
    ProcessID : 160
    ThreadCreationTime : 31-01-2005 11:12:29
    BasePriority : Normal
    FileVersion : 6.7.4 09Sep02
    ProductVersion : 6.7.4 09Sep02
    ProductName : Progressive Touch
    CompanyName : Synaptics, Inc.
    FileDescription : TouchPad Driver Helper Application
    InternalName : SynTPLpr
    LegalCopyright : Copyright (C) Synaptics, Inc. 1996-2002
    OriginalFilename : SynTPLpr.exe

    #:21 [syntpenh.exe]
    FilePath : C:\Program Files\Synaptics\SynTP\
    ProcessID : 168
    ThreadCreationTime : 31-01-2005 11:12:29
    BasePriority : Normal
    FileVersion : 6.7.4 09Sep02
    ProductVersion : 6.7.4 09Sep02
    ProductName : Progressive Touch
    CompanyName : Synaptics, Inc.
    FileDescription : Synaptics TouchPad Enhancements
    InternalName : Scrolleroo
    LegalCopyright : Copyright (C) Synaptics, Inc. 1996-2002
    OriginalFilename : SynTPEnh.exe

    #:22 [winampa.exe]
    FilePath : C:\Program Files\Winamp\
    ProcessID : 204
    ThreadCreationTime : 31-01-2005 11:12:30
    BasePriority : Normal


    #:23 [directcd.exe]
    FilePath : C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\
    ProcessID : 248
    ThreadCreationTime : 31-01-2005 11:12:31
    BasePriority : Normal
    FileVersion : 5.3.5.10
    ProductVersion : 5.3.5.10
    ProductName : DirectCD
    CompanyName : Roxio
    FileDescription : DirectCD Application
    InternalName : DirectCD
    LegalCopyright : Copyright (c) 2001-2003, Roxio, Inc.
    OriginalFilename : Directcd.exe

    #:24 [realplay.exe]
    FilePath : C:\Program Files\Real\RealPlayer\
    ProcessID : 240
    ThreadCreationTime : 31-01-2005 11:12:34
    BasePriority : Normal
    FileVersion : 6.0.9.584
    ProductVersion : 6.0.9.584
    ProductName : RealPlayer (32-bit)
    CompanyName : RealNetworks, Inc.
    FileDescription : RealPlayer
    InternalName : REALPLAY
    LegalCopyright : Copyright © RealNetworks, Inc. 1995-2000
    LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
    OriginalFilename : REALPLAY.EXE

    #:25 [d066uuty.exe]
    FilePath : C:\WINDOWS\TWAIN_32\D66U\
    ProcessID : 276
    ThreadCreationTime : 31-01-2005 11:12:34
    BasePriority : Normal


    #:26 [ctfmon.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 288
    ThreadCreationTime : 31-01-2005 11:12:35
    BasePriority : Normal
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : CTF Loader
    InternalName : CTFMON
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : CTFMON.EXE

    #:27 [msnmsgr.exe]
    FilePath : C:\Program Files\MSN Messenger\
    ProcessID : 296
    ThreadCreationTime : 31-01-2005 11:12:36
    BasePriority : Normal
    FileVersion : 6.2.0137
    ProductVersion : Version 6.2
    ProductName : MSN Messenger
    CompanyName : Microsoft Corporation
    FileDescription : MSN Messenger
    InternalName : msnmsgr
    LegalCopyright : Copyright (c) Microsoft Corporation 1997-2004
    LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
    OriginalFilename : msnmsgr.exe

    #:28 [aoltray.exe]
    FilePath : C:\Program Files\AOL 7.0a\
    ProcessID : 408
    ThreadCreationTime : 31-01-2005 11:12:46
    BasePriority : Normal
    FileVersion : 7.00.000
    ProductVersion : 7.00.000
    ProductName : America Online
    CompanyName : America Online, Inc.
    FileDescription : AOL Tray Icon
    InternalName : AolTray
    LegalCopyright : Copyright (C) America Online, Inc. 1999 - 2001

    #:29 [wuauclt.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 1196
    ThreadCreationTime : 31-01-2005 11:13:17
    BasePriority : Normal
    FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
    ProductVersion : 5.4.3790.2182
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Automatic Updates
    InternalName : wuauclt.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : wuauclt.exe

    #:30 [ad-aware.exe]
    FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
    ProcessID : 1684
    ThreadCreationTime : 31-01-2005 11:14:05
    BasePriority : Normal
    FileVersion : 6.2.0.206
    ProductVersion : VI.Second Edition
    ProductName : Lavasoft Ad-Aware SE
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-Aware SE Core application
    InternalName : Ad-Aware.exe
    LegalCopyright : Copyright © Lavasoft Sweden
    OriginalFilename : Ad-Aware.exe
    Comments : All Rights Reserved

    Memory scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 0


    Started registry scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Registry Scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 0


    Started deep registry scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Deep registry scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 0


    Started Tracking Cookie scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


    Tracking cookie scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 0



    Deep scanning and examining files (C:)
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    ShopNav Hijacker Object Recognized!
    Type : File
    Data : A0049956.exe
    Category : Malware
    Comment :
    Object : C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP277\



    ShopNav Hijacker Object Recognized!
    Type : File
    Data : A0049957.exe
    Category : Malware
    Comment :
    Object : C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP277\



    Adsincontext Object Recognized!
    Type : File
    Data : A0049958.dll
    Category : Malware
    Comment :
    Object : C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP277\
    FileVersion : 1,0,617
    ProductVersion : 1,0,617


    ShopNav Hijacker Object Recognized!
    Type : File
    Data : A0049959.exe
    Category : Malware
    Comment :
    Object : C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP277\
    FileVersion : 6.0.1.2
    ProductVersion : 6.0.1.2
    ProductName : setup
    CompanyName : Indigo Rose Corporation http://www.indigorose.com
    FileDescription : Setup Factory 6.0 Setup Launcher
    InternalName : setup
    LegalCopyright : Copyright © 2001 - 2002 Indigo Rose Corporation
    LegalTrademarks : Setup Factory is a trademark of Indigo Rose Corporation.
    OriginalFilename : setup.exe
    Comments : This setup code is the property of Indigo Rose Corporation


    Gigatech Superbar Object Recognized!
    Type : File
    Data : A0049960.dll
    Category : Data Miner
    Comment :
    Object : C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP277\
    FileVersion : 3,0,0,190
    ProductVersion : 3,0,0,190
    ProductName : SuperBar Dynamic Link Library
    FileDescription : SuperBar Dynamic Link Library
    InternalName : SuperBar IE Plugin
    LegalCopyright : Copyright (C) 2002-2003, Gigatech Software
    OriginalFilename : SuperBar.dll


    Gigatech Superbar Object Recognized!
    Type : File
    Data : A0049961.dll
    Category : Data Miner
    Comment :
    Object : C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP277\
    FileVersion : 1.0.0.110
    ProductVersion : 1.0.0.110
    ProductName : SuperBar IE Plugin
    CompanyName : Gigatech Software
    FileDescription : SuperBar IE Plugin
    InternalName : SuperBarExts.dll
    LegalCopyright : Copyright (C) 2002-2003, Gigatech Software
    OriginalFilename : SuperBarExts.dll


    BargainBuddy Object Recognized!
    Type : File
    Data : A0049962.exe
    Category : Malware
    Comment :
    Object : C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP277\
    FileVersion : 1, 0, 0, 4
    ProductVersion : 1, 0, 0, 4
    ProductName : Download Module
    CompanyName : eXact Advertising
    FileDescription : Download Module
    InternalName : Download Utility
    LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
    OriginalFilename : exdl.exe


    BargainBuddy Object Recognized!
    Type : File
    Data : A0049963.dll
    Category : Malware
    Comment :
    Object : C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP277\
    FileVersion : 2, 0, 0, 15
    ProductVersion : 2, 0, 0, 15
    ProductName : apuc Module
    CompanyName : eXact Advertising
    FileDescription : apuc Module
    InternalName : apuc
    LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
    OriginalFilename : apuc.DLL


    BargainBuddy Object Recognized!
    Type : File
    Data : A0049964.dll
    Category : Malware
    Comment :
    Object : C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP277\
    FileVersion : 2, 0, 0, 15
    ProductVersion : 2, 0, 0, 15
    ProductName : apuc Module
    CompanyName : eXact Advertising
    FileDescription : cb.dll Module
    InternalName : cb.dll
    LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
    OriginalFilename : cb.dll


    BargainBuddy Object Recognized!
    Type : File
    Data : A0049965.dll
    Category : Malware
    Comment :
    Object : C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP277\
    FileVersion : 2, 0, 0, 15
    ProductVersion : 2, 0, 0, 15
    ProductName : nls.dll Module
    CompanyName : eXact Advertising
    FileDescription : nls.dll Module
    InternalName : nls.dll
    LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
    OriginalFilename : nls.dll


    Disk Scan Result for C:\
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 10


    Scanning Hosts file......
    Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Hosts file scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    1 entries scanned.
    New critical objects:0
    Objects found so far: 10




    Performing conditional scans...
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Conditional scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 10

    11:36:04 Scan Complete

    Summary Of This Scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Total scanning time:00:21:41.412
    Objects scanned:196247
    Objects identified:10
    Objects ignored:0
    New critical objects:10
     
  9. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Now turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Restart your computer, turn System Restore back on and create a restore point.

    To create a restore point:

    Single-click Start and point to All Programs.
    Mouse over Accessories, then System Tools, and select System Restore.
    In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
    Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

    Reboot and post a current HJT log.
     
  10. Joanne4

    Joanne4 Thread Starter

    Joined:
    Jan 28, 2005
    Messages:
    21
    When I do this will I lose any of the files on my computer? Because I havent got any of my files backed up. :(
     
  11. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    No all you are doing is setting a new restore point so if things go bad you can go back to this point. Also you have some items in system restore that you don't want so to remove them you set a new restore point.

    Here's a tutorial on the subject: http://www.bleepingcomputer.com/forums/tutorial56.html
     
  12. Joanne4

    Joanne4 Thread Starter

    Joined:
    Jan 28, 2005
    Messages:
    21
    here we go

    Logfile of HijackThis v1.99.0
    Scan saved at 09:28:19, on 01/02/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\carpserv.exe
    C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\AOL 7.0a\aoltray.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\AOL 7.0a\waol.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.webtvparty.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.webtvparty.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.myway.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.webtvparty.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webtvparty.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.webtvparty.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.webtvparty.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {CBED15CF-7977-4257-8471-B6747F4540ED} - (no file)
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [HPCDRW Reminder] "C:\Program Files\HP CD-Writer\support\webreg\Navbrowser.exe" /r /i "C:\Program Files\HP CD-Writer\support\webreg\NavLoad.ini"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
    O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\daxe\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [st-0ukk00007] c:\program files\Webdialer\st-0ukk00007.exe -m
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
    O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0a\aoltray.exe
    O4 - Global Startup: BitDefender for MSN Messenger.lnk = C:\Program Files\Softwin\BitDefender for MSN Messenger\msnmon.exe
    O4 - Global Startup: BitDefender_P2P_Startup.lnk = C:\WINDOWS\BitDefender_P2P_Startup.exe
    O4 - Global Startup: Easy-PrintToolBox.lnk = C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://www.makeoversolutions.com/save/makeover.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {B80F9FCE-DFDD-4A2A-8AA9-E05C6B7D4ED3} (SWToolBar Class) - http://www.smileyworld.com/toolbar/SmileyWorld.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B5CECE4B-500F-42C8-8992-4C7D9F5816A2}: NameServer = 202.67.65.134
    O23 - Service: HP Configuration Interface Service - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
    O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  13. crushbone

    crushbone

    Joined:
    Aug 5, 2004
    Messages:
    1,137
    Hello Joanne4! :D

    Open Task Manager (ctrl+alt+delete) and choose the "Processes" tab.
    Find and "End Process" the following process:
    AdManCtl.exe

    Turn off System Restore by right-clicking on My Computer and choosing "Properties". Click on the "System Restore" tab and put a tick next to "Turn System Restore off". Click "OK".

    Go to My Computer and click on "Tools" then "Folder Options. Click on the "View" tab and make sure that "Show hidden files and folders" is enabled. Click "OK".

    Find and delete the following folder:
    C:\Program Files\Admanager Controller

    Run HijackThis and fix the following entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.webtvparty.com/search.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.webtvparty.com/searchbar.html

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.myway.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.webtvparty.com/searchbar.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webtvparty.com/search.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.webtvparty.com/searchbar.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.webtvparty.com/searchbar.html

    O3 - Toolbar: (no name) - {CBED15CF-7977-4257-8471-B6747F4540ED} - (no file)

    O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe Smilies

    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)


    Close HijackThis and run it again to make sure everything that you fixed is removed.

    Restart your computer and post a fresh HijackThis log back on this thread.
     
  14. Joanne4

    Joanne4 Thread Starter

    Joined:
    Jan 28, 2005
    Messages:
    21
    In task manager I cant find AdManCtl.exe I can find lots of other things in there but not AdManCtl.exe :confused: So do I just go on to complete the next steps?
     
  15. crushbone

    crushbone

    Joined:
    Aug 5, 2004
    Messages:
    1,137
    Yes, complete the rest of the steps.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/324258

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice