1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Spyware? redirecting search engine results

Discussion in 'Virus & Other Malware Removal' started by yatchie, Jan 24, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. yatchie

    yatchie Thread Starter

    Joined:
    Apr 27, 2005
    Messages:
    18
    When using internet explorer, my search engine results are being redirected to different sites when I click the link through Google, etc. Of course, this does not seem to be a problem when I use Firefox, which I should have been using all along. Anyway, I have run AVG, Spybot, Adaware, Cwshredder, and the TrendMicro Anti-spyware tool, but none have gotten rid of the problem. Here's my Hijack This log. Any help would be greatly appreciated. Thanks!

    Logfile of HijackThis v1.99.0
    Scan saved at 3:18:59 PM, on 1/24/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\apache2triad\bin\apache.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
    C:\apache2triad\mysql\bin\mysqld.exe
    C:\apache2triad\ftp\SlimFTPd.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\apache2triad\mail\bin\XMail.exe
    C:\apache2triad\bin\apache.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\toshiba\sysstability\tsyssmon.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\WINDOWS\System32\Wnex7DO.exe
    C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe
    C:\Program Files\Movielink\MovielinkManager\Movielink User.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
    C:\Program Files\Trend Micro\Tmas\Tmas.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\EditPlus 2\editplus.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Documents and Settings\Denise\Desktop\HijackThis.exe

    O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
    O23 - Service: Apache2Triad MySql Service - Unknown - C:\apache2triad\mysql\bin\mysqld.exe
    O23 - Service: Odyssey Client - Funk Software, Inc. - C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
    O23 - Service: Apache2Triad PostgreSQL Service - PostgreSQL Global Development Group - C:\apache2triad\pgsql\bin\pg_ctl.exe
    O23 - Service: Apache2Triad SlimFTPd Server - Unknown - C:\apache2triad\ftp\SlimFTPd.exe
    O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Apache2Triad Xmail Service - Unknown - C:\apache2triad\mail\bin\XMail.exe
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You did not post the entire log

    Open the log in notepad

    EDIT - SELECT ALL
    EDIT - COPY

    Then come to this message, and in the quick reply box click in the white space and then EDIT - PASTE

    Plus that is a slightly old version

    Click here to download HJTsetup.exe: http://www.thespykiller.co.uk/files/HJTSetup.exe
    Save HJTsetup.exe to your desktop.

    Double click on the HJTsetup.exe icon on your desktop.
    By default it will install to C:\Program Files\Hijack This.
    Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    Put a check by Create a desktop icon then click Next again.
    Continue to follow the rest of the prompts from there.
    At the final dialogue box click Finish and it will launch Hijack This.
    Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    Click Save to save the log file and then the log will open in notepad.
    Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    Come back here to this thread and Paste the log in your next reply.
    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. yatchie

    yatchie Thread Starter

    Joined:
    Apr 27, 2005
    Messages:
    18
    Sorry, here's the entire log with the new HJT version

    Logfile of HijackThis v1.99.1
    Scan saved at 3:33:17 PM, on 1/24/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\apache2triad\bin\apache.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
    C:\apache2triad\mysql\bin\mysqld.exe
    C:\apache2triad\ftp\SlimFTPd.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\apache2triad\mail\bin\XMail.exe
    C:\apache2triad\bin\apache.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\toshiba\sysstability\tsyssmon.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\WINDOWS\System32\Wnex7DO.exe
    C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe
    C:\Program Files\Movielink\MovielinkManager\Movielink User.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
    C:\Program Files\Trend Micro\Tmas\Tmas.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\EditPlus 2\editplus.exe
    C:\Documents and Settings\Denise\Desktop\HijackThis.exe
    C:\Program Files\Microsoft Office\Office\EXCEL.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mail.yahoo.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [Watcher-WatchDog] C:\WINDOWS\System32\Wnex7DO.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe"
    O4 - HKLM\..\Run: [LoadMSvcmm] "C:\Program Files\Movielink\MovielinkManager\Movielink User.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
    O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137719494373
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137719478781
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: jkhhe - C:\WINDOWS\System32\jkhhe.dll (file missing)
    O21 - SSODL: IntegrityChecker - {D11B6F5D-7528-47E6-B711-9B80F2CAD7E1} - C:\WINDOWS\System32\tpsiorec.dll
    O23 - Service: Apache2Triad Apache2 Service (Apache2) - Unknown owner - C:\apache2triad\bin\apache.exe" -n Apache2 -k runservice (file missing)
    O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2SSL) - Unknown owner - C:\apache2triad\bin\apache.exe" -D SSL -n Apache2SSL -k runservice (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
    O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:\apache2triad\mysql\bin\mysqld.exe
    O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
    O23 - Service: Apache2Triad PostgreSQL Service (PgSql) - Unknown owner - C:\apache2triad\pgsql\bin\pg_ctl.exe" runservice -N PgSql -D C:\apache2triad\pgsql\data\ (file missing)
    O23 - Service: Apache2Triad SlimFTPd Server (SlimFTPd) - Unknown owner - C:\apache2triad\ftp\SlimFTPd.exe" -service (file missing)
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Apache2Triad Xmail Service (XMail) - Unknown owner - C:\apache2triad\mail\bin\XMail.exe
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Go to the link below and download the trial version of SpySweeper:

    SpySweeper http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=tsg

    * Click the Free Trial link under "SpySweeper" to download the program.
    * Install it. Once the program is installed, it will open.
    * It will prompt you to update to the latest definitions, click Yes.
    * Once the definitions are installed, click Options on the left side.
    * Click the Sweep Options tab.
    * Under What to Sweep please put a check next to the following:
    o Sweep Memory
    o Sweep Registry
    o Sweep Cookies
    o Sweep All User Accounts
    o Enable Direct Disk Sweeping
    o Sweep Contents of Compressed Files
    o Sweep for Rootkits

    o Please UNCHECK Do not Sweep System Restore Folder.

    * Click Sweep Now on the left side.
    * Click the Start button.
    * When it's done scanning, click the Next button.
    * Make sure everything has a check next to it, then click the Next button.
    * It will remove all of the items found.
    * Click Session Log in the upper right corner, copy everything in that window.
    * Click the Summary tab and click Finish.
    * Paste the contents of the session log you copied into your next reply.
    Also post a new Hijack This log.
     
  5. yatchie

    yatchie Thread Starter

    Joined:
    Apr 27, 2005
    Messages:
    18
    Ok, here goes...Thanks!

    ********
    5:44 PM: | Start of Session, Tuesday, January 24, 2006 |
    5:44 PM: Spy Sweeper started
    5:44 PM: Sweep initiated using definitions version 605
    5:44 PM: Starting Memory Sweep
    5:48 PM: Found Trojan Horse: trojan-downloader-ruin
    5:48 PM: Detected running threat: C:\WINDOWS\explorer.exe (ID = 81)
    5:51 PM: Memory Sweep Complete, Elapsed Time: 00:06:29
    5:51 PM: Starting Registry Sweep
    5:51 PM: Found Adware: searchtoolbar
    5:51 PM: HKLM\software\searchtoolbar\ (3 subtraces) (ID = 141346)
    5:51 PM: HKLM\software\microsoft\windows\currentversion\urls\ (10 subtraces) (ID = 605127)
    5:51 PM: HKLM\software\microsoft\windows\currentversion\ruins\ (7 subtraces) (ID = 605128)
    5:51 PM: HKU\S-1-5-21-3112492714-4015366883-659380361-1005\software\searchtoolbar\ (5 subtraces) (ID = 141343)
    5:51 PM: HKU\S-1-5-21-3112492714-4015366883-659380361-1005\software\microsoft\internet explorer\toolbar\shellbrowser\ || {08bec6aa-49fc-4379-3587-4b21e286c19e} (ID = 1020297)
    5:51 PM: Registry Sweep Complete, Elapsed Time:00:00:47
    5:51 PM: Starting Cookie Sweep
    5:51 PM: Found Spy Cookie: statcounter cookie
    5:51 PM: [email protected][1].txt (ID = 3447)
    5:51 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
    5:51 PM: Starting File Sweep
    5:52 PM: Found Adware: cws_tiny0
    5:52 PM: chipset.log:jmazzw (ID = 56997)
    5:52 PM: snuwz.txt:sosqh (ID = 57116)
    5:53 PM: Warning: Failed to open file "c:\system volume information\_restore{1d754853-cd2b-4287-9a0d-7bec62082ded}\rp76\a0010985.exe". Access is denied
    5:54 PM: vminst.log:tqkvqi (ID = 57116)
    5:54 PM: a0012121.exe (ID = 246)
    5:54 PM: a0013121.exe (ID = 246)
    5:54 PM: Warning: Failed to open file "c:\system volume information\_restore{1d754853-cd2b-4287-9a0d-7bec62082ded}\rp77\a0011020.exe". Access is denied
    5:55 PM: a0012129.exe (ID = 147)
    5:55 PM: _detmp.2:hspwol (ID = 57116)
    5:55 PM: com+.log:bnlfch (ID = 57116)
    5:56 PM: Warning: Failed to open file "c:\system volume information\_restore{1d754853-cd2b-4287-9a0d-7bec62082ded}\rp77\a0011039.exe". Access is denied
    5:56 PM: a0013129.exe (ID = 147)
    5:56 PM: a0010977.exe (ID = 246)
    5:56 PM: a0011010.exe (ID = 246)
    5:57 PM: a0011026.exe (ID = 246)
    5:57 PM: ocgen.log:mljep (ID = 57116)
    5:57 PM: wsftperr.log:dfuoan (ID = 56944)
    5:57 PM: q329834.log:fhraa (ID = 57116)
    5:58 PM: q816843.log:wwegsi (ID = 56997)
    5:58 PM: a0011033.exe (ID = 246)
    5:59 PM: _detmp.2:vowebv (ID = 56887)
    5:59 PM: kb833987.log:jykshv (ID = 56887)
    5:59 PM: jautoexp.dat:eek:zuisr (ID = 56997)
    5:59 PM: kb820291.log:gaevub (ID = 57116)
    5:59 PM: t30debuglogfile.txt:fnwrxj (ID = 56997)
    5:59 PM: q329170.log:cwfav (ID = 56944)
    5:59 PM: q816509.log:xqbyl (ID = 57116)
    6:00 PM: _detmp.2:prwima (ID = 56997)
    6:02 PM: a0010344.ini:nkhyr (ID = 56944)
    6:04 PM: kb835732.log:eek:rzjz (ID = 56944)
    6:05 PM: kb871250.log:xxowdy (ID = 56887)
    6:09 PM: kb842773.log:rmvhy (ID = 57116)
    6:16 PM: a0010935.exe (ID = 246)
    6:17 PM: Warning: Failed to open file "c:\system volume information\_restore{1d754853-cd2b-4287-9a0d-7bec62082ded}\rp74\a0010943.exe". Access is denied
    6:19 PM: favset.exe (ID = 232868)
    6:19 PM: schedlgu.txt:puxsj (ID = 56944)
    6:19 PM: a0010957.exe (ID = 246)
    6:20 PM: _default.pif:vgmtux (ID = 56997)
    6:20 PM: csdan.exe (ID = 246)
    6:20 PM: dmtzq.exe (ID = 147)
    6:20 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || dmtzq.exe (ID = 0)
    6:20 PM: Warning: Failed to open file "c:\system volume information\_restore{1d754853-cd2b-4287-9a0d-7bec62082ded}\rp75\a0010965.exe". Access is denied
    6:20 PM: a0011121.exe (ID = 246)
    6:20 PM: a0011130.exe (ID = 147)
    6:22 PM: pppcgm.exe (ID = 125496)
    6:22 PM: mtb13.ini:bkgtt (ID = 56944)
    6:22 PM: tsession.reg:fohbr (ID = 57116)
    6:23 PM: Found Adware: unspypc
    6:23 PM: filesafer23.exe (ID = 209443)
    6:36 PM: Warning: File not found
    6:36 PM: Warning: File not found
    6:37 PM: Warning: Unhandled Archive Type
    6:37 PM: Warning: File not found
    6:38 PM: Warning: File not found
    6:41 PM: Warning: File not found
    6:41 PM: Warning: File not found
    6:42 PM: File Sweep Complete, Elapsed Time: 00:50:54
    6:42 PM: Full Sweep has completed. Elapsed time 00:58:22
    6:42 PM: Traces Found: 75
    10:14 PM: Removal process initiated
    10:14 PM: Quarantining All Traces: trojan-downloader-ruin
    10:14 PM: Warning: Unable to quarantine C:\WINDOWS\explorer.exe. This is a protected operating system file.
    10:14 PM: Failed to quarantine trojan-downloader-ruin
    10:14 PM: csdan.exe is in use. It will be removed on reboot.
    10:14 PM: Failed to quarantine C:\WINDOWS\explorer.exe
    10:14 PM: Quarantining All Traces: cws_tiny0
    10:15 PM: Quarantining All Traces: searchtoolbar
    10:15 PM: Quarantining All Traces: unspypc
    10:15 PM: Quarantining All Traces: statcounter cookie
    10:15 PM: Warning: Timed out waiting for explorer.exe
    10:15 PM: Warning: Launched explorer.exe
    10:15 PM: Warning: Quarantine process could not restart Explorer.
    10:15 PM: Preparing to restart your computer. Please wait...
    10:15 PM: Removal process completed. Elapsed time 00:01:33
    ********
    5:38 PM: | Start of Session, Tuesday, January 24, 2006 |
    5:38 PM: Spy Sweeper started
    5:40 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
    5:41 PM: Updating spyware definitions
    5:41 PM: Your spyware definitions have been updated.
    5:44 PM: | End of Session, Tuesday, January 24, 2006 |

    ***************************************************


    Logfile of HijackThis v1.99.1
    Scan saved at 11:37:09 PM, on 1/24/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\apache2triad\bin\apache.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
    C:\apache2triad\mysql\bin\mysqld.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\apache2triad\bin\apache.exe
    C:\apache2triad\mail\bin\XMail.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\toshiba\sysstability\tsyssmon.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\WINDOWS\System32\Wnex7DO.exe
    C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe
    C:\Program Files\Movielink\MovielinkManager\Movielink User.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
    C:\Program Files\Trend Micro\Tmas\Tmas.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mail.yahoo.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [Watcher-WatchDog] C:\WINDOWS\System32\Wnex7DO.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Linksys\Odyssey Client for Linksys\OdTray.exe"
    O4 - HKLM\..\Run: [LoadMSvcmm] "C:\Program Files\Movielink\MovielinkManager\Movielink User.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
    O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137719494373
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137719478781
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: jkhhe - C:\WINDOWS\System32\jkhhe.dll (file missing)
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O21 - SSODL: IntegrityChecker - {D11B6F5D-7528-47E6-B711-9B80F2CAD7E1} - C:\WINDOWS\System32\tpsiorec.dll
    O23 - Service: Apache2Triad Apache2 Service (Apache2) - Unknown owner - C:\apache2triad\bin\apache.exe" -n Apache2 -k runservice (file missing)
    O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2SSL) - Unknown owner - C:\apache2triad\bin\apache.exe" -D SSL -n Apache2SSL -k runservice (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
    O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:\apache2triad\mysql\bin\mysqld.exe
    O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Linksys\Odyssey Client for Linksys\odClientService.exe
    O23 - Service: Apache2Triad PostgreSQL Service (PgSql) - Unknown owner - C:\apache2triad\pgsql\bin\pg_ctl.exe" runservice -N PgSql -D C:\apache2triad\pgsql\data\ (file missing)
    O23 - Service: Apache2Triad SlimFTPd Server (SlimFTPd) - Unknown owner - C:\apache2triad\ftp\SlimFTPd.exe" -service (file missing)
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Apache2Triad Xmail Service (XMail) - Unknown owner - C:\apache2triad\mail\bin\XMail.exe
     
  6. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Are you running apache or did you drop it

    fix this with HiJack

    O20 - Winlogon Notify: jkhhe - C:\WINDOWS\System32\jkhhe.dll (file missing)

    How is the system
     
  7. yatchie

    yatchie Thread Starter

    Joined:
    Apr 27, 2005
    Messages:
    18
    I am running Apache. Thanks a bunch for your help. Everything seems to be working fine again!
     
  8. alaus24

    alaus24

    Joined:
    Mar 3, 2006
    Messages:
    31
    I had the same problem with trojan ruin... Being a beginner I feel so lucky to have found this site. You fixed my problem with a click in Spy Sweeper, Thank you!!!!!
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/436963

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice