1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Under attack from Kill&Clean + Trojans

Discussion in 'Virus & Other Malware Removal' started by ExplodingPenguin, Aug 2, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. ExplodingPenguin

    ExplodingPenguin Thread Starter

    Joined:
    Aug 2, 2006
    Messages:
    10
    Yep, I got the kill and clean. It also installed a toolbar in my windows explorer windows. I think I managed to castrate Kill and Clean, but I'm still getting the repeat trojan warnings from Norton, as well as a lot of general system instability.

    So, without further ado, my HijackThis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:05:09 AM, on 8/2/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Eraser\eraser.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dialin&cd=2.1&bm=ho_home
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    R3 - URLSearchHook: (no name) - {CA99517F-4908-8FDC-8234-026B7CFE18DB} - newbreed.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{1821C340-0131-46FF-B1E3-3590FC295643}.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{1821C340-0131-46FF-B1E3-3590FC295643}.dll
    O4 - HKLM\..\Run: [Systmesy] Systmesy.exe
    O4 - HKLM\..\Run: [TCP/IP PerfManager] maxrw.exe
    O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\bjznoyx.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\zdyarsm.exe
    O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
    O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [forces_elite] TemplateDongle.exe
    O4 - HKLM\..\Run: [progmen] xsetup.exe
    O4 - HKLM\..\Run: [dmvdj.exe] C:\WINDOWS\system32\dmvdj.exe
    O4 - HKLM\..\Run: [svsnr.exe] C:\WINDOWS\system32\svsnr.exe
    O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
    O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
    O4 - HKCU\..\Run: [Systmesy] Systmesy.exe
    O4 - HKCU\..\Run: [TCP/IP PerfManager] maxrw.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
    O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
    O4 - HKCU\..\Run: [TRPT] DTOURS.exe
    O4 - HKCU\..\Run: [TemplateDongle] ExchangeMaster.exe
    O4 - HKCU\..\Run: [PrcIdle] JAguAr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0F92304C-EE27-49E3-9F36-86F458EF6174}: NameServer = 85.255.115.50 85.255.112.172
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7DD833AA-2536-4321-9AAC-9F5F7C2472EB}: NameServer = 85.255.115.50,85.255.112.172
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DAD820BA-1100-4F3D-9BAC-634F75F48A4D}: NameServer = 85.255.115.50,85.255.112.172
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.50 85.255.112.172
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.50 85.255.112.172
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




    So where do I go from here?
     
  2. ExplodingPenguin

    ExplodingPenguin Thread Starter

    Joined:
    Aug 2, 2006
    Messages:
    10
    PS. The number of programs in my system32 folder being reported as trojans is steadily growing. There are programs there which weren't as of minutes ago.
     
  3. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

    Please download FixWareout

    http://downloads.subratam.org/Fixwareout.exe


    Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    When your system reboots, follow the prompts. Afterwards, Hijack This will launch. Close Hijack This, and click OK to proceed. )

    Fix these with HJT – mark them, close IE, click fix checked

    O17 - HKLM\System\CCS\Services\Tcpip\..\{0F92304C-EE27-49E3-9F36-86F458EF6174}: NameServer = 85.255.115.50 85.255.112.172
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7DD833AA-2536-4321-9AAC-9F5F7C2472EB}: NameServer = 85.255.115.50,85.255.112.172
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DAD820BA-1100-4F3D-9BAC-634F75F48A4D}: NameServer = 85.255.115.50,85.255.112.172
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.50 85.255.112.172
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.50 85.255.112.172
    If you have connection problems after this

    * Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .
    · Double-click the Network Connections icon
    · Right-click the Local Area Connection icon and select Properties.
    · Hilight Internet Protocol (TCP/IP) and click the Properties button.
    · Be sure Obtain DNS server address automatically is selected.
    · OK your way out.


    * Go to Start > Run and type in cmd
    · Click OK.
    · This will open a commad prompt.
    · Type or copy and paste the following line in the command window:

    ipconfig /flushdns
    · Hit Enter
    · Exit the command window

    Do that before you restart.

    =============
    At the end of the fix, you may need to restart your computer again.

    Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new Hijack This log.

    ==================================
    If you get an Autoexec nt error do the following

    XP Fix - http://www.visualtour.com/downloads/

    Scroll down to get XP Fix

    And run FixWareout again.
    ==========================
    Go to the link below and download the trial version of SpySweeper:

    SpySweeper http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=tsg

    * Click the Free Trial link under "SpySweeper" to download the program.
    * Install it. Once the program is installed, it will open.
    * It will prompt you to update to the latest definitions, click Yes.
    * Once the definitions are installed, click Options on the left side.
    * Click the Sweep Options tab.
    * Under What to Sweep please put a check next to the following:
    o Sweep Memory
    o Sweep Registry
    o Sweep Cookies
    o Sweep All User Accounts
    o Enable Direct Disk Sweeping
    o Sweep Contents of Compressed Files
    o Sweep for Rootkits

    o Please UNCHECK Do not Sweep System Restore Folder.

    * Click Sweep Now on the left side.
    * Click the Start button.
    * When it's done scanning, click the Next button.
    * Make sure everything has a check next to it, then click the Next button.
    * It will remove all of the items found.
    * Click Session Log in the upper right corner, copy everything in that window.
    * Click the Summary tab and click Finish.
    * Paste the contents of the session log you copied into your next reply.
    Also post a new Hijack This log.
     
  4. ExplodingPenguin

    ExplodingPenguin Thread Starter

    Joined:
    Aug 2, 2006
    Messages:
    10
    Fantastic, it's getting better. I was also able to finally run Spybot SD, which removed the offending toolbars. Still have diabolical files in my system32 folder, though.

    Here're all the current logs:

    Fixwareout
    Fixwareout ver 1.003
    Last edited 07/1/2006
    Post this report in the forums please

    Reg Entries that were deleted
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\daolnwodi
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\onisacputes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
    ...

    Microsoft (R) Windows Script Host Version 5.6
    Random Runs removed from HKLM
    "dmwuy.exe"=-
    ...

    PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
    Example ipsec6.exe is legitimate

    »»»»» Search by size and names...
    * csr.exe C:\WINDOWS\System32\CSAHS.EXE

    »»»»» Misc files
    * thequicklink C:\WINDOWS\System32\{1821C~1.DLL

    »»»»» Checking for older varients covered by the Rem3 tool

    »»»»»
    Search five digit cs, dm and jb files
    This WILL/CAN also list Legit Files, Submit them at Virustotal
    C:\WINDOWS\SYSTEM32\CSAHS.EXE 51,254 2006-08-01
    C:\WINDOWS\SYSTEM32\DMSSO.EXE 62,000 2004-08-04
    Other suspects
    Directory of C:\WINDOWS\system32
    {1821C340-0131-46FF-B1E3-3590FC295643}.dll
    {ABC15D78-55C8-4E23-AACA-02C4D6CF9F12}.exe
    {884D3FC2-49CC-4E8F-A432-B0B78F4DE99E}.exe
    {2BC45DEC-3DED-4981-B021-F13F6FB5C3E9}.exe
    {CE292179-267F-4B97-8136-675E2114DC5A}.exe
    {D932E2B0-3906-4E01-B3C9-6CA06B2D3E90}.exe
    {AF48822E-B6B4-48F6-B94A-52993861130F}.exe
    {57621E85-986B-4DAE-A76A-4FF3252327F7}.exe
    {E1FD6CFD-82DE-46C6-BCA0-667943E3C99D}.exe
    {9D2B555B-7030-4F42-939D-6306420CC91B}.exe
    {7D0D3587-D699-46BB-8C3C-4B703E3B6AE4}.exe
    {F493AB19-8109-42ED-AA51-2C0BFF82436C}.exe
    {39DA0BDB-598F-4186-B32D-EF83A71F84E3}.exe
    {C7FEF108-EA75-4E4D-A327-9D08F7260982}.exe
    {A362B2A9-8A44-4117-AB92-332D492B2093}.exe
    {8AE1C810-FF4C-4A9C-BB69-FFD5C87DACBE}.exe
    {760DBE87-3FF3-4FA3-9D75-ECCFF7343131}.exe
    {1ED12809-20A9-4D07-AEDF-70C664D48F7B}.exe
    {3FA003C0-6703-43D9-8D60-5825A0B8BCE7}.exe
    {EF1A8CB1-108D-40FC-AD31-2072EFEE6706}.exe
    {127FAECA-1200-4100-95FC-5CB1CAFC7F53}.exe
    {3BAE2D3B-0246-4083-ACEB-D389947442EE}.exe
    {986261A0-7718-4799-A2AB-A55E2A3362C5}.exe
    {CFA56AEE-C553-48C1-AFA9-CC5CD2B66DB8}.exe
    {C68DA0E2-A91C-4995-9D85-B5B89EDA2080}.exe
    {3F8CD342-3308-47E3-AC80-D7E5441CDE33}.exe
    {4444F886-58F0-4C44-9C58-C58D3A790754}.exe
    {AE02EBCB-FA89-44B7-995C-DDB6F385EC6C}.exe
    {8345A14F-25BB-4DAA-A317-4E109F97A0C7}.exe
    {32581C03-0597-4FA8-8CDE-98580DD0AC97}.exe


    HijackThis

    Logfile of HijackThis v1.99.1
    Scan saved at 12:11:53 PM, on 8/2/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Eraser\eraser.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    R3 - URLSearchHook: (no name) - {CA99517F-4908-8FDC-8234-026B7CFE18DB} - newbreed.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Systmesy] Systmesy.exe
    O4 - HKLM\..\Run: [TCP/IP PerfManager] maxrw.exe
    O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\bjznoyx.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\zdyarsm.exe
    O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [forces_elite] TemplateDongle.exe
    O4 - HKLM\..\Run: [progmen] xsetup.exe
    O4 - HKLM\..\Run: [wzuvw.exe] C:\WINDOWS\system32\wzuvw.exe
    O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
    O4 - HKCU\..\Run: [Systmesy] Systmesy.exe
    O4 - HKCU\..\Run: [TCP/IP PerfManager] maxrw.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
    O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [TRPT] DTOURS.exe
    O4 - HKCU\..\Run: [TemplateDongle] ExchangeMaster.exe
    O4 - HKCU\..\Run: [PrcIdle] JAguAr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  5. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Go to the link below and download the trial version of SpySweeper:

    SpySweeper http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=tsg

    * Click the Free Trial link under "SpySweeper" to download the program.
    * Install it. Once the program is installed, it will open.
    * It will prompt you to update to the latest definitions, click Yes.
    * Once the definitions are installed, click Options on the left side.
    * Click the Sweep Options tab.
    * Under What to Sweep please put a check next to the following:
    o Sweep Memory
    o Sweep Registry
    o Sweep Cookies
    o Sweep All User Accounts
    o Enable Direct Disk Sweeping
    o Sweep Contents of Compressed Files
    o Sweep for Rootkits

    o Please UNCHECK Do not Sweep System Restore Folder.

    * Click Sweep Now on the left side.
    * Click the Start button.
    * When it's done scanning, click the Next button.
    * Make sure everything has a check next to it, then click the Next button.
    * It will remove all of the items found.
    * Click Session Log in the upper right corner, copy everything in that window.
    * Click the Summary tab and click Finish.
    * Paste the contents of the session log you copied into your next reply.
    Also post a new Hijack This log.
     
  6. ExplodingPenguin

    ExplodingPenguin Thread Starter

    Joined:
    Aug 2, 2006
    Messages:
    10
    Yep, Spy Sweeper seems to have taken care of the rest of it. Only thing now is that my system feels slightly less stable than it did before. Does that mean I've still got something else lurking around that I still haven't found? Or could it be a simple byproduct of the amount of spyware removal tools I've installed in the past day?
     
  7. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Post the SpySweeper log and a new hijack log as requested!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
     
  8. ExplodingPenguin

    ExplodingPenguin Thread Starter

    Joined:
    Aug 2, 2006
    Messages:
    10
    My apologies, I've been a bit scatterbrained today. I had to run Spy Sweeper a few times, since it crashed the first, so if the log looks wonky, that'd be why.

    SpySweeper Log

    1:14 PM: | End of Session, Wednesday, August 02, 2006 |
    1:13 PM: Your spyware definitions have been updated.
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    1:11 PM: Shield States
    1:11 PM: Spyware Definitions: 691
    1:09 PM: Spy Sweeper 5.0.5.1286 started
    1:09 PM: Spy Sweeper 5.0.5.1286 started
    1:09 PM: | Start of Session, Wednesday, August 02, 2006 |
    ********
    1:22 PM: C:\Documents and Settings\All Users\Application Data\AntiSpyInfo\optimize.exe.q_1B9BCB88_q (ID = 64091)
    1:22 PM: Found Adware: internetoptimizer
    1:22 PM: C:\Documents and Settings\All Users\Application Data\AntiSpyInfo\bargains.exe.q_1B524003_q (ID = 295976)
    1:22 PM: Found Adware: exact cashback/bargain buddy
    1:21 PM: C:\WINDOWS\system32\{ABC15D78-55C8-4E23-AACA-02C4D6CF9F12}.exe (ID = 324384)
    1:21 PM: C:\WINDOWS\system32\{1821C340-0131-46FF-B1E3-3590FC295643}.dll (ID = 73422)
    1:21 PM: Found Adware: quicklink search toolbar
    1:19 PM: C:\WINDOWS\system32\{2BC45DEC-3DED-4981-B021-F13F6FB5C3E9}.exe (ID = 324384)
    1:19 PM: C:\WINDOWS\system32\{884D3FC2-49CC-4E8F-A432-B0B78F4DE99E}.exe (ID = 324384)
    1:19 PM: C:\WINDOWS\system32\{9D2B555B-7030-4F42-939D-6306420CC91B}.exe (ID = 324384)
    1:19 PM: C:\WINDOWS\system32\{A362B2A9-8A44-4117-AB92-332D492B2093}.exe (ID = 324384)
    1:19 PM: C:\WINDOWS\system32\{CFA56AEE-C553-48C1-AFA9-CC5CD2B66DB8}.exe (ID = 125496)
    1:19 PM: C:\WINDOWS\system32\{3FA003C0-6703-43D9-8D60-5825A0B8BCE7}.exe (ID = 324384)
    1:19 PM: C:\WINDOWS\system32\{C68DA0E2-A91C-4995-9D85-B5B89EDA2080}.exe (ID = 81237)
    1:19 PM: Found Trojan Horse: trojan-secdrop
    1:19 PM: C:\WINDOWS\system32\{127FAECA-1200-4100-95FC-5CB1CAFC7F53}.exe (ID = 324384)
    1:19 PM: C:\WINDOWS\system32\{39DA0BDB-598F-4186-B32D-EF83A71F84E3}.exe (ID = 324384)
    1:19 PM: C:\WINDOWS\system32\{3F8CD342-3308-47E3-AC80-D7E5441CDE33}.exe (ID = 324384)
    1:19 PM: C:\WINDOWS\system32\{3BAE2D3B-0246-4083-ACEB-D389947442EE}.exe (ID = 324384)
    1:19 PM: C:\WINDOWS\system32\{8AE1C810-FF4C-4A9C-BB69-FFD5C87DACBE}.exe (ID = 324384)
    1:19 PM: C:\WINDOWS\system32\{32581C03-0597-4FA8-8CDE-98580DD0AC97}.exe (ID = 304772)
    1:19 PM: C:\WINDOWS\system32\{7D0D3587-D699-46BB-8C3C-4B703E3B6AE4}.exe (ID = 324384)
    1:19 PM: C:\WINDOWS\system32\{57621E85-986B-4DAE-A76A-4FF3252327F7}.exe (ID = 324384)
    1:19 PM: C:\WINDOWS\system32\csahs.exe (ID = 246)
    1:19 PM: Found Trojan Horse: trojan-downloader-ruin
    1:19 PM: C:\WINDOWS\system32\{CE292179-267F-4B97-8136-675E2114DC5A}.exe (ID = 324384)
    1:18 PM: C:\WINDOWS\system32\{760DBE87-3FF3-4FA3-9D75-ECCFF7343131}.exe (ID = 324384)
    1:18 PM: C:\WINDOWS\system32\{AF48822E-B6B4-48F6-B94A-52993861130F}.exe (ID = 324384)
    1:18 PM: C:\WINDOWS\system32\{C7FEF108-EA75-4E4D-A327-9D08F7260982}.exe (ID = 324384)
    1:18 PM: C:\WINDOWS\system32\{1ED12809-20A9-4D07-AEDF-70C664D48F7B}.exe (ID = 324384)
    1:18 PM: Found Trojan Horse: trojan-backdoor-qhosts
    1:18 PM: Starting File Sweep
    1:18 PM: Warning: Failed to access drive A:
    1:18 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
    1:18 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][2].txt (ID = 3762)
    1:18 PM: Found Spy Cookie: zedo cookie
    1:18 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][1].txt (ID = 3587)
    1:18 PM: Found Spy Cookie: trb.com cookie
    1:18 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][1].txt (ID = 5014)
    1:18 PM: Found Spy Cookie: nextag cookie
    1:18 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][1].txt (ID = 2730)
    1:18 PM: Found Spy Cookie: go2net.com cookie
    1:18 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][1].txt (ID = 2255)
    1:18 PM: Found Spy Cookie: atwola cookie
    1:18 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][1].txt (ID = 2038)
    1:18 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][2].txt (ID = 3148)
    1:18 PM: Found Spy Cookie: pointroll cookie
    1:18 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][1].txt (ID = 3400)
    1:18 PM: Found Spy Cookie: specificclick.com cookie
    1:18 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][2].txt (ID = 2037)
    1:18 PM: Found Spy Cookie: about cookie
    1:18 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][1].txt (ID = 1997)
    1:18 PM: Found Spy Cookie: 66.246.209 cookie
    1:18 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][1].txt (ID = 1957)
    1:18 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][2].txt (ID = 1958)
    1:18 PM: Found Spy Cookie: 2o7.net cookie
    1:18 PM: Starting Cookie Sweep
    1:18 PM: Registry Sweep Complete, Elapsed Time:00:00:06
    1:18 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\runonce\ || win32 usb2 driver (ID = 140631)
    1:18 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || win32 usb2 driver (ID = 140608)
    1:18 PM: HKU\S-1-5-21-1614895754-1454471165-725345543-1004\software\microsoft\windows\currentversion\run\ || trpt (ID = 1520013)
    1:18 PM: Found Adware: kill & clean scanner and monitor
    1:18 PM: HKU\S-1-5-21-1614895754-1454471165-725345543-1004\software\microsoft\windows\currentversion\run\ || win32 usb2 driver (ID = 140608)
    1:18 PM: HKLM\software\classes\media-codec.chl\ (ID = 1247793)
    1:18 PM: HKCR\media-codec.chl\ (ID = 1247790)
    1:18 PM: Found Trojan Horse: trojan-downloader-zlob
    1:18 PM: HKLM\software\microsoft\windows\currentversion\run\ || forces_elite (ID = 144865)
    1:18 PM: Found Trojan Horse: trojan-downloader-wareout
    1:18 PM: HKLM\software\microsoft\windows\currentversion\run\ || win32 usb2 driver (ID = 140622)
    1:18 PM: HKU\.default\software\microsoft\windows\currentversion\runonce\ || win32 usb2 driver (ID = 140594)
    1:18 PM: HKU\.default\software\microsoft\windows\currentversion\run\ || win32 usb2 driver (ID = 140589)
    1:18 PM: Found Trojan Horse: sdbot
    1:18 PM: Starting Registry Sweep
    1:18 PM: Memory Sweep Complete, Elapsed Time: 00:04:17
    1:14 PM: Warning: QF[866]: "C:\WINDOWS\SYSTEM32\{EF1A8CB1-108D-40FC-AD31-2072EFEE6706}.EXE": File not found
    1:14 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-qhosts, version 1.0.0.0
    1:14 PM: Warning: QF[866]: "C:\WINDOWS\SYSTEM32\{E1FD6CFD-82DE-46C6-BCA0-667943E3C99D}.EXE": File not found
    1:14 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-qhosts, version 1.0.0.0
    1:14 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-qhosts, version 1.0.0.0
    1:14 PM: Warning: QF[866]: "C:\WINDOWS\SYSTEM32\{D932E2B0-3906-4E01-B3C9-6CA06B2D3E90}.EXE": File not found
    1:14 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-qhosts, version 1.0.0.0
    1:14 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-qhosts, version 1.0.0.0
    1:14 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-qhosts, version 1.0.0.0
    1:14 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-qhosts, version 1.0.0.0
    1:14 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-qhosts, version 1.0.0.0
    1:14 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-qhosts, version 1.0.0.0
    1:14 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-qhosts, version 1.0.0.0
    1:14 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-qhosts, version 1.0.0.0
    1:14 PM: Spy Installation Shield: found: Trojan Horse: trojan-backdoor-qhosts, version 1.0.0.0
    1:14 PM: Starting Memory Sweep
    1:14 PM: Sweep initiated using definitions version 731
    1:14 PM: Spy Sweeper 5.0.5.1286 started
    1:14 PM: | Start of Session, Wednesday, August 02, 2006 |
    ********
    1:44 PM: | End of Session, Wednesday, August 02, 2006 |
    1:43 PM: Removal process completed. Elapsed time 00:00:05
    1:43 PM: Quarantining All Traces: zedo cookie
    1:43 PM: Quarantining All Traces: trb.com cookie
    1:43 PM: Quarantining All Traces: nextag cookie
    1:43 PM: Quarantining All Traces: go2net.com cookie
    1:43 PM: Quarantining All Traces: atwola cookie
    1:43 PM: Quarantining All Traces: pointroll cookie
    1:43 PM: Quarantining All Traces: specificclick.com cookie
    1:43 PM: Quarantining All Traces: about cookie
    1:43 PM: Quarantining All Traces: 66.246.209 cookie
    1:43 PM: Quarantining All Traces: 2o7.net cookie
    1:43 PM: Quarantining All Traces: kill & clean scanner and monitor
    1:43 PM: Quarantining All Traces: quicklink search toolbar
    1:43 PM: Quarantining All Traces: trojan-secdrop
    1:43 PM: Quarantining All Traces: trojan-backdoor-qhosts
    1:43 PM: Quarantining All Traces: trojan-downloader-ruin
    1:43 PM: Quarantining All Traces: trojan-downloader-zlob
    1:43 PM: Quarantining All Traces: trojan-downloader-wareout
    1:43 PM: Quarantining All Traces: sdbot
    1:43 PM: Removal process initiated
    1:43 PM: Sweep Status: 18 Items Found
    1:43 PM: Traces Found: 44
    1:43 PM: File Sweep Complete, Elapsed Time: 00:03:01
    1:43 PM: Sweep Canceled
    1:43 PM: C:\WINDOWS\system32\{1821C340-0131-46FF-B1E3-3590FC295643}.dll (ID = 73422)
    1:43 PM: Found Adware: quicklink search toolbar
    1:41 PM: C:\WINDOWS\system32\{2BC45DEC-3DED-4981-B021-F13F6FB5C3E9}.exe (ID = 324384)
    1:41 PM: C:\WINDOWS\system32\{884D3FC2-49CC-4E8F-A432-B0B78F4DE99E}.exe (ID = 324384)
    1:41 PM: C:\WINDOWS\system32\{9D2B555B-7030-4F42-939D-6306420CC91B}.exe (ID = 324384)
    1:41 PM: C:\WINDOWS\system32\{A362B2A9-8A44-4117-AB92-332D492B2093}.exe (ID = 324384)
    1:41 PM: C:\WINDOWS\system32\{CFA56AEE-C553-48C1-AFA9-CC5CD2B66DB8}.exe (ID = 125496)
    1:41 PM: C:\WINDOWS\system32\{3FA003C0-6703-43D9-8D60-5825A0B8BCE7}.exe (ID = 324384)
    1:40 PM: C:\WINDOWS\system32\{C68DA0E2-A91C-4995-9D85-B5B89EDA2080}.exe (ID = 81237)
    1:40 PM: Found Trojan Horse: trojan-secdrop
    1:40 PM: C:\WINDOWS\system32\{127FAECA-1200-4100-95FC-5CB1CAFC7F53}.exe (ID = 324384)
    1:40 PM: C:\WINDOWS\system32\{39DA0BDB-598F-4186-B32D-EF83A71F84E3}.exe (ID = 324384)
    1:40 PM: C:\WINDOWS\system32\{3F8CD342-3308-47E3-AC80-D7E5441CDE33}.exe (ID = 324384)
    1:40 PM: C:\WINDOWS\system32\{3BAE2D3B-0246-4083-ACEB-D389947442EE}.exe (ID = 324384)
    1:40 PM: C:\WINDOWS\system32\{8AE1C810-FF4C-4A9C-BB69-FFD5C87DACBE}.exe (ID = 324384)
    1:40 PM: C:\WINDOWS\system32\{32581C03-0597-4FA8-8CDE-98580DD0AC97}.exe (ID = 304772)
    1:40 PM: C:\WINDOWS\system32\{7D0D3587-D699-46BB-8C3C-4B703E3B6AE4}.exe (ID = 324384)
    1:40 PM: C:\WINDOWS\system32\{57621E85-986B-4DAE-A76A-4FF3252327F7}.exe (ID = 324384)
    1:40 PM: C:\WINDOWS\system32\csahs.exe (ID = 246)
    1:40 PM: Found Trojan Horse: trojan-downloader-ruin
    1:40 PM: C:\WINDOWS\system32\{CE292179-267F-4B97-8136-675E2114DC5A}.exe (ID = 324384)
    1:40 PM: C:\WINDOWS\system32\{760DBE87-3FF3-4FA3-9D75-ECCFF7343131}.exe (ID = 324384)
    1:40 PM: C:\WINDOWS\system32\{AF48822E-B6B4-48F6-B94A-52993861130F}.exe (ID = 324384)
    1:40 PM: C:\WINDOWS\system32\{C7FEF108-EA75-4E4D-A327-9D08F7260982}.exe (ID = 324384)
    1:40 PM: C:\WINDOWS\system32\{1ED12809-20A9-4D07-AEDF-70C664D48F7B}.exe (ID = 324384)
    1:40 PM: Found Trojan Horse: trojan-backdoor-qhosts
    1:40 PM: Starting File Sweep
    1:40 PM: Warning: Failed to access drive A:
    1:40 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
    1:40 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][2].txt (ID = 3762)
    1:40 PM: Found Spy Cookie: zedo cookie
    1:40 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][1].txt (ID = 3587)
    1:40 PM: Found Spy Cookie: trb.com cookie
    1:40 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][1].txt (ID = 5014)
    1:40 PM: Found Spy Cookie: nextag cookie
    1:40 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][1].txt (ID = 2730)
    1:40 PM: Found Spy Cookie: go2net.com cookie
    1:40 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][1].txt (ID = 2255)
    1:40 PM: Found Spy Cookie: atwola cookie
    1:40 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][1].txt (ID = 2038)
    1:40 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][2].txt (ID = 3148)
    1:40 PM: Found Spy Cookie: pointroll cookie
    1:40 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][1].txt (ID = 3400)
    1:40 PM: Found Spy Cookie: specificclick.com cookie
    1:40 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][2].txt (ID = 2037)
    1:40 PM: Found Spy Cookie: about cookie
    1:40 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][1].txt (ID = 1997)
    1:40 PM: Found Spy Cookie: 66.246.209 cookie
    1:40 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][1].txt (ID = 1957)
    1:40 PM: c:\documents and settings\peter fitzgerald\cookies\peter [email protected][2].txt (ID = 1958)
    1:40 PM: Found Spy Cookie: 2o7.net cookie
    1:40 PM: Starting Cookie Sweep
    1:40 PM: Registry Sweep Complete, Elapsed Time:00:01:09
    1:40 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\runonce\ || win32 usb2 driver (ID = 140631)
    1:40 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || win32 usb2 driver (ID = 140608)
    1:40 PM: HKU\S-1-5-21-1614895754-1454471165-725345543-1004\software\microsoft\windows\currentversion\run\ || trpt (ID = 1520013)
    1:40 PM: Found Adware: kill & clean scanner and monitor
    1:40 PM: HKU\S-1-5-21-1614895754-1454471165-725345543-1004\software\microsoft\windows\currentversion\run\ || win32 usb2 driver (ID = 140608)
    1:40 PM: HKLM\software\classes\media-codec.chl\ (ID = 1247793)
    1:40 PM: HKCR\media-codec.chl\ (ID = 1247790)
    1:40 PM: Found Trojan Horse: trojan-downloader-zlob
    1:40 PM: HKLM\software\microsoft\windows\currentversion\run\ || forces_elite (ID = 144865)
    1:40 PM: Found Trojan Horse: trojan-downloader-wareout
    1:40 PM: HKLM\software\microsoft\windows\currentversion\run\ || win32 usb2 driver (ID = 140622)
    1:40 PM: HKU\.default\software\microsoft\windows\currentversion\runonce\ || win32 usb2 driver (ID = 140594)
    1:40 PM: HKU\.default\software\microsoft\windows\currentversion\run\ || win32 usb2 driver (ID = 140589)
    1:40 PM: Found Trojan Horse: sdbot
    1:40 PM: Memory Sweep Complete, Elapsed Time: 00:00:00
    1:40 PM: Starting Registry Sweep
    1:39 PM: Starting Memory Sweep
    1:39 PM: Sweep initiated using definitions version 731
    1:39 PM: Spy Sweeper 5.0.5.1286 started
    1:39 PM: | Start of Session, Wednesday, August 02, 2006 |
    ********
    5:36 PM: The Spy Communication shield has blocked access to: FL4W.INFO
    5:36 PM: The Spy Communication shield has blocked access to: FL4W.INFO
    5:36 PM: The Spy Communication shield has blocked access to: ZBZPPBWQMM.BIZ
    5:36 PM: The Spy Communication shield has blocked access to: ZBZPPBWQMM.BIZ
    1:55 PM: BHO Shield: found: -- BHO installation denied at user request
    1:55 PM: BHO Shield: found: -- BHO installation denied at user request
    1:54 PM: Removal process completed. Elapsed time 00:00:15
    1:54 PM: Quarantining All Traces: blackbox
    1:54 PM: Quarantining All Traces: kill & clean scanner and monitor
    1:54 PM: Quarantining All Traces: exact cashback/bargain buddy
    1:54 PM: Quarantining All Traces: internetoptimizer
    1:54 PM: Quarantining All Traces: trojan-backdoor-qhosts
    1:54 PM: Quarantining All Traces: trojan-downloader-ruin
    1:54 PM: Removal process initiated
    1:54 PM: Traces Found: 7
    1:54 PM: Full Sweep has completed. Elapsed time 00:10:08
    1:54 PM: File Sweep Complete, Elapsed Time: 00:09:04
    1:54 PM: Warning: Failed to access drive E:
    1:53 PM: C:\Documents and Settings\Peter Fitzgerald\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-5f8e179f-663693b6.class (ID = 51343)
    1:53 PM: C:\Documents and Settings\Peter Fitzgerald\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-67d9b5a-1ce65295.class (ID = 51343)
    1:53 PM: Found Adware: blackbox
    1:51 PM: C:\WINDOWS\system32\{986261A0-7718-4799-A2AB-A55E2A3362C5}.exe (ID = 324641)
    1:51 PM: Found Adware: kill & clean scanner and monitor
    1:51 PM: C:\WINDOWS\system32\dmsso.exe (ID = 471)
    1:51 PM: Found Trojan Horse: trojan-downloader-ruin
    1:47 PM: C:\Documents and Settings\All Users\Application Data\AntiSpyInfo\optimize.exe.q_1B9BCB88_q (ID = 64091)
    1:47 PM: Found Adware: internetoptimizer
    1:47 PM: C:\Documents and Settings\All Users\Application Data\AntiSpyInfo\bargains.exe.q_1B524003_q (ID = 295976)
    1:47 PM: Found Adware: exact cashback/bargain buddy
    1:46 PM: C:\WINDOWS\system32\{ABC15D78-55C8-4E23-AACA-02C4D6CF9F12}.exe (ID = 324384)
    1:46 PM: Found Trojan Horse: trojan-backdoor-qhosts
    1:45 PM: Starting File Sweep
    1:45 PM: Warning: Failed to access drive A:
    1:45 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
    1:45 PM: Starting Cookie Sweep
    1:45 PM: Registry Sweep Complete, Elapsed Time:00:00:06
    1:44 PM: Starting Registry Sweep
    1:44 PM: Memory Sweep Complete, Elapsed Time: 00:00:54
    1:44 PM: Starting Memory Sweep
    1:44 PM: Sweep initiated using definitions version 731
    1:44 PM: Spy Sweeper 5.0.5.1286 started
    1:44 PM: | Start of Session, Wednesday, August 02, 2006 |

    New HJT Log

    Logfile of HijackThis v1.99.1
    Scan saved at 7:19:26 PM, on 8/2/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Eraser\eraser.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    R3 - URLSearchHook: (no name) - {CA99517F-4908-8FDC-8234-026B7CFE18DB} - newbreed.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Systmesy] Systmesy.exe
    O4 - HKLM\..\Run: [TCP/IP PerfManager] maxrw.exe
    O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\bjznoyx.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\zdyarsm.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [DeadAIM] "rundll32.exe" "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [progmen] xsetup.exe
    O4 - HKLM\..\Run: [wzuvw.exe] C:\WINDOWS\system32\wzuvw.exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [Systmesy] Systmesy.exe
    O4 - HKCU\..\Run: [TCP/IP PerfManager] maxrw.exe
    O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM\aim.exe" -cnetwait.odl
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Eraser] "C:\Program Files\Eraser\eraser.exe" -hide
    O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [TemplateDongle] ExchangeMaster.exe
    O4 - HKCU\..\Run: [PrcIdle] JAguAr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0F92304C-EE27-49E3-9F36-86F458EF6174}: NameServer = 85.255.115.50 85.255.112.172
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    ---

    Again, sorry for not getting this earlier. Wrangling with an unstable computer + a heatwave has shortwired my brain.
     
  9. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You may want to print this or save it to notepad as we will go to safe mode.

    Run fixwareout again
    ===============================
    Please click here http://www.java.com/en/download/manual.jsp to download the latest version of JAVA Install the application, then go to the Add/Remove Programs options in the Control Panel and Remove ALL previous versions of JAVA.
    ==============================

    Fix these with HJT – mark them, close IE, click fix checked

    R3 - URLSearchHook: (no name) - {CA99517F-4908-8FDC-8234-026B7CFE18DB} - newbreed.dll (file missing)

    O4 - HKLM\..\Run: [Systmesy] Systmesy.exe

    O4 - HKLM\..\Run: [TCP/IP PerfManager] maxrw.exe

    O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\bjznoyx.exe

    O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\zdyarsm.exe

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k

    O4 - HKLM\..\Run: [progmen] xsetup.exe

    O4 - HKLM\..\Run: [wzuvw.exe] C:\WINDOWS\system32\wzuvw.exe

    O4 - HKCU\..\Run: [Systmesy] Systmesy.exe

    O4 - HKCU\..\Run: [TCP/IP PerfManager] maxrw.exe

    O4 - HKCU\..\Run: [TemplateDongle] ExchangeMaster.exe

    O4 - HKCU\..\Run: [PrcIdle] JAguAr.exe

    O17 - HKLM\System\CCS\Services\Tcpip\..\{0F92304C-EE27-49E3-9F36-86F458EF6174}: NameServer = 85.255.115.50 85.255.112.172

    DownLoad http://www.downloads.subratam.org/KillBox.zip

    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\SYSTEM32\CSAHS.EXE
    C:\WINDOWS\SYSTEM32\DMSSO.EXE
    C:\WINDOWS\System32\Systmesy.exe
    C:\WINDOWS\System32\maxrw.exe
    C:\WINDOWS\System32\bjznoyx.exe
    C:\WINDOWS\System32\zdyarsm.exe
    C:\WINDOWS\system32\xsetup.exe
    C:\WINDOWS\system32\wzuvw.exe
    C:\WINDOWS\system32\ExchangeMaster.exe
    C:\WINDOWS\system32\JAguAr.exe

    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Not all temp files will delete and that is normal
    Empty the recycle bin
    Boot and post a new log from normal NOT safe mode

    Please give feedback on what worked/didn’t work and the current status of your system
     
  10. ExplodingPenguin

    ExplodingPenguin Thread Starter

    Joined:
    Aug 2, 2006
    Messages:
    10
    Thanks! I think the last of the problems have been stamped out, and I've learned quite a bit in the process. Probably the most useful, concise, and direct Tech Support I've ever received.

    Fresh HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:05:04 PM, on 8/5/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Eraser\eraser.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    R3 - URLSearchHook: (no name) - {CA99517F-4908-8FDC-8234-026B7CFE18DB} - newbreed.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [DeadAIM] "rundll32.exe" "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
    O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM\aim.exe" -cnetwait.odl
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Eraser] "C:\Program Files\Eraser\eraser.exe" -hide
    O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0F92304C-EE27-49E3-9F36-86F458EF6174}: NameServer = 85.255.115.50 85.255.112.172
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    How's it looking?
     
  11. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Thanks - we try!

    Fix this one - make sure you close IE before click fix checked

    R3 - URLSearchHook: (no name) - {CA99517F-4908-8FDC-8234-026B7CFE18DB} - newbreed.dll (file missing)

    Clean [​IMG] - If you feel it is fixed, mark it solved via thread tools above - if not what is the current situation?

    Restore points
    Turn off restore points, boot, turn them back on – here’s how

    XP
    http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/488649

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice