Virus threat W32.Chod.D

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

new_horizon

Thread Starter
Joined
Jan 14, 2006
Messages
32
Hey all

I am having some serious virus issues here, probably best that I start from the beginning...

This isn't my PC as such, really belongs to the rest of the family who don't know anything about protecting the PC. We had been running Norton Anti-virus 2002 for a while when all of a sudden the auto-protect could no longer be enabled. Inevitably the others continued using it, and eventually we were virus ridden. I have removed most of the others, and bought the new Norton 2006 anti-virus. I installed it all fine, but after 24 hours, the program will not work (despite being activated). The system scan reports there being 6 errors, all falling under these names...

- W32.Chod.D
- Trojan.Adclicker
- Adaware.Qoolaid

I have looked through every forum to asist me, and have attempted all of the programs you can think of (HiJack this, Windows Malicious Malware remover, Spybot, Ad Aware) which all reported problems and fixed them. However, I still have these pests on my PC. I cannot access the Norton website in any way shape or form, pointing toward the entries in my hosts file. The host file (usually located C:\Windows\System32\Drivers\etc) is not present, however when attempting to initiate a live update with Norton, the program informs me that there are several entries preventing me from completing the live update, and whether I wish to have these entries removed from my hosts file. After clicking 'yes' the program then reports that it was unable to remove the entries but still installs live updates. It is these entries however that are preventing me from being able to access the Norton Antivirus site for instructions on removal. I have called Norton and was quoted €39.95 just for an email with these instructions to be sent to me, or €69.95 to be given a phone tutorial that may or may not work (basically they were gonna read the instructions to me).

So I'm stumped guys and girls, I'm running Windows XP Home Edition SP2, 40 GB HDD, 26 MB RAM and no other security program outside of Norton 2006.

Any ideas people?
 
Joined
Sep 7, 2004
Messages
49,014
Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
============

Get HiJack This V1.99.1 http://thespykiller.co.uk/files/hijackthis_sfx.exe - double click the DL file and click UNZIP letting it extract to its default folder C:\Program FIles\HiJackThis, run it from there, DO NOT fix anything, post the log here.
 

new_horizon

Thread Starter
Joined
Jan 14, 2006
Messages
32
Here is the log from Spy Sweep as requested...
********
16:26: | Start of Session, 14 January 2006 |
16:26: Spy Sweeper started
16:26: Sweep initiated using definitions version 601
16:26: Starting Memory Sweep
16:42: Memory Sweep Complete, Elapsed Time: 00:15:41
16:42: Starting Registry Sweep
16:42: Found Adware: altnet
16:42: HKLM\software\classes\clsid\{b7156514-a76c-4545-9d5b-a4e1d02c7aec}\ (21 subtraces) (ID = 103494)
16:42: Found Trojan Horse: trojan-backdoor-securemulti
16:42: HKLM\software\microsoft\windows\currentversion\run\ || csrss (ID = 112618)
16:43: Found Adware: topsearch
16:43: HKCR\clsid\{b7156514-a76c-4545-9d5b-a4e1d02c7aec}\ (21 subtraces) (ID = 143925)
16:43: HKLM\software\classes\topsearch.tslink\ (5 subtraces) (ID = 143926)
16:43: HKLM\software\classes\topsearch.tslink.1\ (3 subtraces) (ID = 143927)
16:43: HKLM\software\classes\typelib\{edd3b3e9-3ffd-4836-a6de-d4a9c473a971}\ (10 subtraces) (ID = 143928)
16:43: HKCR\topsearch.tslink\ (5 subtraces) (ID = 143929)
16:43: HKCR\typelib\{edd3b3e9-3ffd-4836-a6de-d4a9c473a971}\ (10 subtraces) (ID = 143930)
16:43: Found Adware: hotsurprise
16:43: HKLM\software\mpb\dialers\ (ID = 397838)
16:44: Found Adware: rx toolbar
16:44: HKCR\rxresult.rxresultfilter\ (3 subtraces) (ID = 729537)
16:44: HKCR\rxresult.rxresultfilter\clsid\ (1 subtraces) (ID = 729539)
16:44: HKCR\rxresult.rxresultfilter.1\ (3 subtraces) (ID = 729541)
16:44: HKCR\rxresult.rxresultfilter.1\clsid\ (1 subtraces) (ID = 729543)
16:44: HKCR\rxresult.rxresulttracker\ (3 subtraces) (ID = 729545)
16:44: HKCR\rxresult.rxresulttracker\clsid\ (1 subtraces) (ID = 729547)
16:44: HKCR\rxresult.rxresulttracker.1\ (3 subtraces) (ID = 729549)
16:44: HKCR\rxresult.rxresulttracker.1\clsid\ (1 subtraces) (ID = 729551)
16:44: HKCR\clsid\{2ab289ae-4b90-4281-b2ae-1f4bb034b647}\ (7 subtraces) (ID = 729553)
16:44: HKCR\clsid\{59879fa4-4790-461c-a1cc-4ec4de4ca483}\ (5 subtraces) (ID = 729564)
16:44: HKCR\typelib\{05563f82-69a7-40a6-8670-153b635a7ef6}\ (11 subtraces) (ID = 729573)
16:44: HKLM\software\classes\rxresult.rxresultfilter\ (3 subtraces) (ID = 729616)
16:44: HKLM\software\classes\rxresult.rxresultfilter\clsid\ (1 subtraces) (ID = 729618)
16:44: HKLM\software\classes\rxresult.rxresultfilter.1\ (3 subtraces) (ID = 729620)
16:44: HKLM\software\classes\rxresult.rxresultfilter.1\clsid\ (1 subtraces) (ID = 729622)
16:44: HKLM\software\classes\rxresult.rxresulttracker\ (3 subtraces) (ID = 729624)
16:44: HKLM\software\classes\rxresult.rxresulttracker\clsid\ (1 subtraces) (ID = 729626)
16:44: HKLM\software\classes\rxresult.rxresulttracker.1\ (3 subtraces) (ID = 729628)
16:44: HKLM\software\classes\rxresult.rxresulttracker.1\clsid\ (1 subtraces) (ID = 729630)
16:44: HKLM\software\classes\clsid\{2ab289ae-4b90-4281-b2ae-1f4bb034b647}\ (7 subtraces) (ID = 729632)
16:44: HKLM\software\classes\clsid\{59879fa4-4790-461c-a1cc-4ec4de4ca483}\ (5 subtraces) (ID = 729643)
16:44: HKLM\software\classes\typelib\{05563f82-69a7-40a6-8670-153b635a7ef6}\ (11 subtraces) (ID = 729652)
16:44: Found Adware: clkoptimizer
16:44: HKLM\software\qstat\ (5 subtraces) (ID = 769771)
16:44: Found Adware: directrevenue-thebestoffersnetwork
16:44: HKLM\software\microsoft\windows\currentversion\uninstall\tbon\ (7 subtraces) (ID = 826503)
16:44: HKLM\software\qstat\ || brr (ID = 877670)
16:44: Found Adware: dollarrevenue
16:44: HKLM\software\microsoft\drsmartload\ (1 subtraces) (ID = 916795)
16:44: Found Adware: command
16:44: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
16:44: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
16:44: Found Trojan Horse: trojan-phisher-raven
16:44: HKLM\software\microsoft\windows\currentversion\run\ || msoffice32 (ID = 1044886)
16:44: Found Adware: zquest
16:44: HKCR\clsid\{c5af2622-8c75-4dfb-9693-23ab7686a456}\ (4 subtraces) (ID = 1057025)
16:44: HKLM\software\classes\clsid\{c5af2622-8c75-4dfb-9693-23ab7686a456}\ (4 subtraces) (ID = 1057030)
16:44: Found Trojan Horse: trojan-downloader-dh
16:44: HKLM\software\microsoft\windows\currentversion\uninstall\dh\ (2 subtraces) (ID = 1057035)
16:44: HKLM\software\microsoft\windows\currentversion\run\ || drsmartloadb (ID = 1108482)
16:44: Found Adware: systemprocess
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1008\software\system process\ (1 subtraces) (ID = 860389)
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1008\software\system process\ || lastptime (ID = 860390)
16:44: Found Adware: cws_secure32.html hijack
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1008\software\microsoft\internet explorer\main\ || local page (ID = 946022)
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1008\software\microsoft\internet explorer\main\ || default_page_url (ID = 946026)
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1007\software\system process\ (1 subtraces) (ID = 860389)
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1007\software\system process\ || lastptime (ID = 860390)
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1007\software\microsoft\internet explorer\main\ || local page (ID = 946022)
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1007\software\microsoft\internet explorer\main\ || default_page_url (ID = 946026)
16:44: Found Adware: cydoor peer-to-peer dependency
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1006\software\kazaa\promotions\cydoor\ (287 subtraces) (ID = 124527)
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1006\software\rx toolbar\ (10 subtraces) (ID = 140298)
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {25d8bacf-3de2-4b48-ae22-d659b8d835b0} (ID = 140301)
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1006\software\tbon\ (33 subtraces) (ID = 826461)
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1006\software\microsoft\windows\currentversion\run\ || tbon (ID = 826497)
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1006\software\system process\ (1 subtraces) (ID = 860389)
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1006\software\system process\ || lastptime (ID = 860390)
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1005\software\microsoft\windows\currentversion\run\ || csrss (ID = 112615)
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1005\software\mpb\dialers\ (1 subtraces) (ID = 397809)
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1005\software\system process\ (1 subtraces) (ID = 860389)
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1005\software\system process\ || lastptime (ID = 860390)
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1005\software\microsoft\internet explorer\main\ || local page (ID = 946022)
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1005\software\microsoft\internet explorer\main\ || default_page_url (ID = 946026)
16:44: Found Adware: qsearch
16:44: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1005\software\program info\ (ID = 1028138)
16:44: HKU\S-1-5-21-1659004503-299502267-682003330-1004\software\rx toolbar\ (1 subtraces) (ID = 140298)
16:44: HKU\S-1-5-21-1659004503-299502267-682003330-1004\software\microsoft\windows\currentversion\run\ || aupd (ID = 743915)
16:44: HKU\S-1-5-21-1659004503-299502267-682003330-1004\software\microsoft\windows\currentversion\run\ || aupd (ID = 766565)
16:44: HKU\S-1-5-21-1659004503-299502267-682003330-1004\software\system process\ (1 subtraces) (ID = 860389)
16:44: HKU\S-1-5-21-1659004503-299502267-682003330-1004\software\system process\ || lastptime (ID = 860390)
16:45: Registry Sweep Complete, Elapsed Time:00:02:50
16:45: Starting Cookie Sweep
16:45: Found Spy Cookie: 2o7.net cookie
16:45: mum & [email protected][2].txt (ID = 1958)
16:45: Found Spy Cookie: about cookie
16:45: mum & [email protected][1].txt (ID = 2037)
16:45: Found Spy Cookie: a cookie
16:45: mum & [email protected][1].txt (ID = 2027)
16:45: Found Spy Cookie: fe.lea.lycos.com cookie
16:45: mum & [email protected][1].txt (ID = 2660)
16:45: Found Spy Cookie: go2net.com cookie
16:45: mum & [email protected][1].txt (ID = 2730)
16:45: Found Spy Cookie: starware.com cookie
16:45: mum & [email protected][1].txt (ID = 3442)
16:45: Found Spy Cookie: screensavers.com cookie
16:45: mum & [email protected][2].txt (ID = 3298)
16:45: Found Spy Cookie: infospace cookie
16:45: mum & [email protected][2].txt (ID = 2865)
16:45: mum & [email protected][1].txt (ID = 1958)
16:45: Found Spy Cookie: nextag cookie
16:45: mum & [email protected][1].txt (ID = 5014)
16:45: Found Spy Cookie: adjuggler cookie
16:45: mum & [email protected][1].txt (ID = 2071)
16:45: mum & [email protected][1].txt (ID = 2070)
16:45: Found Spy Cookie: co cookie
16:45: mum & [email protected][1].txt (ID = 2430)
16:45: Found Spy Cookie: servlet cookie
16:45: mum & [email protected][1].txt (ID = 3345)
16:45: mum & [email protected][2].txt (ID = 3441)
16:45: Found Spy Cookie: dealtime cookie
16:45: mum & [email protected][2].txt (ID = 2506)
16:45: mum & [email protected][1].txt (ID = 3298)
16:45: mum & [email protected][1].txt (ID = 3442)
16:45: Found Spy Cookie: xiti cookie
16:45: mum & [email protected][1].txt (ID = 3717)
16:45: Found Spy Cookie: websponsors cookie
16:45: [email protected][2].txt (ID = 3665)
16:45: [email protected][2].txt (ID = 2037)
16:45: Found Spy Cookie: yieldmanager cookie
16:45: [email protected][1].txt (ID = 3751)
16:45: Found Spy Cookie: hbmediapro cookie
16:45: [email protected][2].txt (ID = 2768)
16:45: Found Spy Cookie: hotbar cookie
16:45: [email protected][2].txt (ID = 4207)
16:45: Found Spy Cookie: ask cookie
16:45: [email protected][1].txt (ID = 2245)
16:45: Found Spy Cookie: azjmp cookie
16:45: [email protected][1].txt (ID = 2270)
16:45: [email protected][1].txt (ID = 2027)
16:45: Found Spy Cookie: go.com cookie
16:45: [email protected][1].txt (ID = 2729)
16:45: Found Spy Cookie: tickle cookie
16:45: [email protected][1].txt (ID = 3530)
16:45: Found Spy Cookie: did-it cookie
16:45: [email protected][1].txt (ID = 2523)
16:45: [email protected][1].txt (ID = 2728)
16:45: Found Spy Cookie: megago cookie
16:45: [email protected][2].txt (ID = 2983)
16:45: [email protected][2].txt (ID = 3298)
16:45: [email protected][2].txt (ID = 2865)
16:45: Found Spy Cookie: web-stat cookie
16:45: [email protected][2].txt (ID = 3649)
16:45: Found Spy Cookie: touchclarity cookie
16:45: [email protected][1].txt (ID = 3566)
16:45: [email protected][1].txt (ID = 2729)
16:45: Found Spy Cookie: myaffiliateprogram.com cookie
16:45: [email protected][1].txt (ID = 3032)
16:45: [email protected][2].txt (ID = 3298)
16:45: [email protected][1].txt (ID = 3717)
16:45: Found Spy Cookie: 64.62.232 cookie
16:45: [email protected][1].txt (ID = 1987)
16:45: [email protected][2].txt (ID = 1987)
16:45: Found Spy Cookie: 888 cookie
16:45: [email protected][2].txt (ID = 2019)
16:45: [email protected][2].txt (ID = 3751)
16:45: [email protected][1].txt (ID = 2768)
16:45: Found Spy Cookie: adultfriendfinder cookie
16:45: [email protected][1].txt (ID = 2165)
16:45: [email protected][1].txt (ID = 2245)
16:45: [email protected][1].txt (ID = 2027)
16:45: [email protected][2].txt (ID = 2027)
16:45: Found Spy Cookie: belnk cookie
16:45: [email protected][1].txt (ID = 2292)
16:45: Found Spy Cookie: btgrab cookie
16:45: [email protected][2].txt (ID = 2333)
16:45: Found Spy Cookie: burstnet cookie
16:45: [email protected][1].txt (ID = 2336)
16:45: Found Spy Cookie: cliks cookie
16:45: [email protected][1].txt (ID = 2414)
16:45: Found Spy Cookie: clickzs cookie
16:45: [email protected][2].txt (ID = 2413)
16:45: [email protected][2].txt (ID = 2523)
16:45: [email protected][2].txt (ID = 2293)
16:45: [email protected][1].txt (ID = 2730)
16:45: [email protected][1].txt (ID = 3298)
16:45: Found Spy Cookie: imlive.com cookie
16:45: [email protected][2].txt (ID = 2843)
16:45: [email protected][2].txt (ID = 2865)
16:45: [email protected][1].txt (ID = 3566)
16:45: Found Spy Cookie: offeroptimizer cookie
16:45: [email protected][2].txt (ID = 3087)
16:45: [email protected][3].txt (ID = 3087)
16:45: Found Spy Cookie: paypopup cookie
16:45: [email protected][1].txt (ID = 3119)
16:45: Found Spy Cookie: rn11 cookie
16:45: [email protected][2].txt (ID = 3261)
16:45: Found Spy Cookie: domainsponsor cookie
16:45: [email protected][1].txt (ID = 2534)
16:45: Found Spy Cookie: directtrack cookie
16:45: [email protected][1].txt (ID = 2528)
16:45: [email protected][2].txt (ID = 3441)
16:45: Found Spy Cookie: reliablestats cookie
16:45: [email protected][2].txt (ID = 3254)
16:45: [email protected][1].txt (ID = 2246)
16:45: [email protected][2].txt (ID = 2246)
16:45: Found Spy Cookie: webpower cookie
16:45: [email protected][2].txt (ID = 3660)
16:45: [email protected][1].txt (ID = 2246)
16:45: [email protected][1].txt (ID = 3298)
16:45: [email protected][2].txt (ID = 3649)
16:45: [email protected][2].txt (ID = 1958)
16:45: [email protected][2].txt (ID = 1957)
16:45: [email protected][1].txt (ID = 1987)
16:45: [email protected][3].txt (ID = 1987)
16:45: [email protected][4].txt (ID = 1987)
16:45: [email protected][5].txt (ID = 1987)
16:45: [email protected][6].txt (ID = 1987)
16:45: [email protected][2].txt (ID = 2019)
16:45: [email protected][2].txt (ID = 3665)
16:45: [email protected][1].txt (ID = 2037)
16:45: Found Spy Cookie: ad-rotator cookie
16:45: [email protected][1].txt (ID = 2051)
16:45: Found Spy Cookie: reunion cookie
16:45: [email protected][1].txt (ID = 3256)
16:45: [email protected][1].txt (ID = 3751)
16:45: Found Spy Cookie: adlegend cookie
16:45: [email protected][1].txt (ID = 2074)
16:45: [email protected][2].txt (ID = 2768)
16:45: [email protected][2].txt (ID = 4207)
16:45: Found Spy Cookie: specificclick.com cookie
16:45: [email protected][2].txt (ID = 3400)
16:45: [email protected][1].txt (ID = 2245)
16:45: Found Spy Cookie: atwola cookie
16:45: [email protected][2].txt (ID = 2255)
16:45: [email protected][1].txt (ID = 2027)
16:45: Found Spy Cookie: banners cookie
16:45: [email protected][1].txt (ID = 2282)
16:45: Found Spy Cookie: banner cookie
16:45: [email protected][2].txt (ID = 2276)
16:45: [email protected][1].txt (ID = 2292)
16:45: [email protected][2].txt (ID = 2336)
16:45: Found Spy Cookie: ccbill cookie
16:45: [email protected][1].txt (ID = 2369)
16:45: Found Spy Cookie: 360i cookie
16:45: [email protected][2].txt (ID = 1962)
16:45: Found Spy Cookie: customer cookie
16:45: [email protected][1].txt (ID = 2481)
16:45: [email protected][2].txt (ID = 2413)
16:45: [email protected][1].txt (ID = 2729)
16:45: [email protected][2].txt (ID = 2293)
16:45: [email protected][1].txt (ID = 3566)
16:45: Found Spy Cookie: firstchoice cookie
16:45: [email protected][1].txt (ID = 2678)
16:45: [email protected][2].txt (ID = 2678)
16:45: [email protected][1].txt (ID = 2730)
16:45: [email protected][1].txt (ID = 2728)
16:45: [email protected][1].txt (ID = 3442)
16:45: Found Spy Cookie: herfirstlesbiansex cookie
16:45: [email protected][1].txt (ID = 2771)
16:45: [email protected][2].txt (ID = 3298)
16:45: Found Spy Cookie: zango cookie
16:45: [email protected][2].txt (ID = 3761)
16:45: [email protected][2].txt (ID = 2865)
16:45: [email protected][1].txt (ID = 1958)
16:45: [email protected][1].txt (ID = 3566)
16:45: [email protected][1].txt (ID = 1958)
16:45: Found Spy Cookie: partypoker cookie
16:45: [email protected][1].txt (ID = 3111)
16:45: Found Spy Cookie: pricegrabber cookie
16:45: [email protected][1].txt (ID = 3185)
16:45: Found Spy Cookie: moviemonster cookie
16:45: [email protected][2].txt (ID = 3011)
16:45: [email protected][2].txt (ID = 3255)
16:45: [email protected][1].txt (ID = 2071)
16:45: [email protected][2].txt (ID = 3649)
16:45: Found Spy Cookie: serving-sys cookie
16:45: [email protected][2].txt (ID = 3343)
16:45: Found Spy Cookie: sex cookie
16:45: [email protected][1].txt (ID = 3347)
16:45: [email protected][2].txt (ID = 3441)
16:45: Found Spy Cookie: teensforcash cookie
16:45: [email protected][1].txt (ID = 3509)
16:45: [email protected][1].txt (ID = 3566)
16:45: [email protected][2].txt (ID = 1958)
16:45: Found Spy Cookie: toplist cookie
16:45: [email protected][1].txt (ID = 3557)
16:45: [email protected][2].txt (ID = 3557)
16:45: Found Spy Cookie: tracking cookie
16:45: [email protected][1].txt (ID = 3571)
16:46: [email protected][2].txt (ID = 3571)
16:46: [email protected][1].txt (ID = 2246)
16:46: [email protected][1].txt (ID = 3660)
16:46: Found Spy Cookie: clickads cookie
16:46: [email protected][1].txt (ID = 4643)
16:46: [email protected][1].txt (ID = 2428)
16:46: [email protected][1].txt (ID = 3298)
16:46: Found Spy Cookie: seeq cookie
16:46: [email protected][1].txt (ID = 3332)
16:46: [email protected][1].txt (ID = 3332)
16:46: [email protected][1].txt (ID = 3717)
16:46: Found Spy Cookie: advertising cookie
16:46: [email protected][1].txt (ID = 2175)
16:46: Found Spy Cookie: falkag cookie
16:46: [email protected][1].txt (ID = 2650)
16:46: Found Spy Cookie: atlas dmt cookie
16:46: [email protected][2].txt (ID = 2253)
16:46: Found Spy Cookie: fastclick cookie
16:46: [email protected][2].txt (ID = 2651)
16:46: [email protected][2].txt (ID = 2652)
16:46: Found Spy Cookie: statcounter cookie
16:46: [email protected][2].txt (ID = 3447)
16:46: Found Spy Cookie: webtrendslive cookie
16:46: [email protected][1].txt (ID = 3667)
16:46: Found Spy Cookie: tribalfusion cookie
16:46: [email protected][1].txt (ID = 3589)
16:46: Found Spy Cookie: enhance cookie
16:46: [email protected][1].txt (ID = 2614)
16:46: Found Spy Cookie: goclick cookie
16:46: [email protected][2].txt (ID = 2733)
16:46: [email protected][1].txt (ID = 2523)
16:46: Cookie Sweep Complete, Elapsed Time: 00:00:51
16:46: Starting File Sweep
16:46: c:\documents and settings\daryl\local settings\temp\admcache (3 subtraces) (ID = -2147481437)
16:46: c:\documents and settings\daryl\start menu\programs\altnet (1 subtraces) (ID = -2147481443)
16:46: Found Adware: 180search assistant/zango
16:46: c:\program files\zango (ID = -2147479981)
16:46: c:\program files\tbonbin (3 subtraces) (ID = -2147471500)
16:46: Found Adware: lopdotcom
16:46: c:\program files\c2media (ID = -2147480676)
16:46: c:\windows\favorites\ computers (1 subtraces) (ID = -2147480647)
16:46: c:\windows\favorites\ online gaming (ID = -2147480644)
16:46: c:\windows\favorites\ travel (ID = -2147480642)
16:46: c:\windows\favorites\ cool stuff (3 subtraces) (ID = -2147480646)
16:46: c:\windows\favorites\ shopping gifts (ID = -2147480643)
16:46: c:\windows\favorites\ internet (1 subtraces) (ID = -2147480645)
16:46: Found Adware: surfsidekick
16:46: c:\program files\common files\vcclient (9 subtraces) (ID = -2147461290)
16:46: c:\program files\altnet (41 subtraces) (ID = -2147481441)
16:46: c:\program files\altnet\my altnet shares (40 subtraces) (ID = -2147481439)
16:46: Found Adware: elitebar
16:46: c:\windows\elitesidebar (ID = -2147481053)
16:46: c:\windows\elitetoolbar (3 subtraces) (ID = -2147481052)
16:47: a0001622.exe (ID = 230703)
16:51: Warning: Failed to open file "c:\windows\winsxs\\msvcirt.dll". The system cannot find the file specified
16:51: Warning: Failed to open file "c:\windows\winsxs\\msvcrt.dll". The system cannot find the file specified
16:57: Warning: Failed to open file "c:\windows\winsxs\\msvcirt.dll". The system cannot find the file specified
17:00: Found Trojan Horse: a-trojan
17:00: casino.scr (ID = 48534)
17:01: rcverlib[1].exe (ID = 209705)
17:08: goodfellas.scr (ID = 48534)
17:35: res2.tmp (ID = 70507)
17:48: Warning: Failed to open file "c:\windows\winsxs\\msvcrt.dll". The system cannot find the file specified
18:04: del2f.tmp (ID = 70620)
18:12: vcclient.exe (ID = 212828)
18:14: Found Adware: spysheriff fakealert
18:14: secure32.html (ID = 184319)
18:14: peer points manager.lnk (ID = 49852)
18:16: Found Trojan Horse: trojan-backdoor-us15info
18:16: tool1.exe (ID = 183857)
18:16: tool4.exe (ID = 183857)
18:16: tool5.exe (ID = 183857)
18:17: tbon.exe (ID = 166800)
18:17: HKU\WRSS_Profile_S-1-5-21-1659004503-299502267-682003330-1006\Software\Microsoft\Windows\CurrentVersion\Run || tbon (ID = 0)
18:19: qepsqsa.dll (ID = 188959)
18:24: uninstall.exe (ID = 166800)
18:33: Found Adware: ist istbar
18:33: iinstall.exe (ID = 110330)
18:42: ustart.exe (ID = 161346)
18:47: tboninst.cfg (ID = 211835)
18:47: drsmartload.dat (ID = 198788)
18:47: Found Adware: ist yoursitebar
18:47: ysbactivex.inf (ID = 91033)
18:49: File Sweep Complete, Elapsed Time: 02:03:14
18:49: Full Sweep has completed. Elapsed time 02:22:57
18:49: Traces Found: 891
19:02: Removal process initiated
19:02: Quarantining All Traces: 180search assistant/zango
19:02: Quarantining All Traces: clkoptimizer
19:02: Quarantining All Traces: elitebar
19:02: Quarantining All Traces: ist istbar
19:02: Quarantining All Traces: lopdotcom
19:02: Quarantining All Traces: qsearch
19:02: Quarantining All Traces: spysheriff fakealert
19:02: Quarantining All Traces: trojan-backdoor-securemulti
19:02: Quarantining All Traces: trojan-backdoor-us15info
19:02: Quarantining All Traces: a-trojan
19:03: Quarantining All Traces: dollarrevenue
19:03: Quarantining All Traces: hotsurprise
19:03: Quarantining All Traces: surfsidekick
19:03: Quarantining All Traces: trojan-downloader-dh
19:03: Quarantining All Traces: trojan-phisher-raven
19:03: Quarantining All Traces: zquest
19:03: Quarantining All Traces: altnet
19:05: Quarantining All Traces: command
19:05: Quarantining All Traces: cws_secure32.html hijack
19:05: Quarantining All Traces: cydoor peer-to-peer dependency
19:05: Quarantining All Traces: ist yoursitebar
19:05: Quarantining All Traces: rx toolbar
19:05: Quarantining All Traces: systemprocess
19:05: Quarantining All Traces: topsearch
19:05: Quarantining All Traces: 2o7.net cookie
19:05: Quarantining All Traces: 360i cookie
19:05: Quarantining All Traces: 64.62.232 cookie
19:05: Quarantining All Traces: 888 cookie
19:05: Quarantining All Traces: a cookie
19:05: Quarantining All Traces: about cookie
19:05: Quarantining All Traces: adjuggler cookie
19:05: Quarantining All Traces: adlegend cookie
19:05: Quarantining All Traces: ad-rotator cookie
19:05: Quarantining All Traces: adultfriendfinder cookie
19:05: Quarantining All Traces: advertising cookie
19:05: Quarantining All Traces: ask cookie
19:05: Quarantining All Traces: atlas dmt cookie
19:06: Quarantining All Traces: atwola cookie
19:06: Quarantining All Traces: azjmp cookie
19:06: Quarantining All Traces: banner cookie
19:06: Quarantining All Traces: banners cookie
19:06: Quarantining All Traces: belnk cookie
19:06: Quarantining All Traces: btgrab cookie
19:06: Quarantining All Traces: burstnet cookie
19:06: Quarantining All Traces: ccbill cookie
19:06: Quarantining All Traces: clickads cookie
19:06: Quarantining All Traces: clickzs cookie
19:06: Quarantining All Traces: cliks cookie
19:06: Quarantining All Traces: co cookie
19:06: Quarantining All Traces: customer cookie
19:06: Quarantining All Traces: dealtime cookie
19:06: Quarantining All Traces: did-it cookie
19:06: Quarantining All Traces: directrevenue-thebestoffersnetwork
19:06: Quarantining All Traces: directtrack cookie
19:06: Quarantining All Traces: domainsponsor cookie
19:06: Quarantining All Traces: enhance cookie
19:06: Quarantining All Traces: falkag cookie
19:06: Quarantining All Traces: fastclick cookie
19:06: Quarantining All Traces: fe.lea.lycos.com cookie
19:06: Quarantining All Traces: firstchoice cookie
19:06: Quarantining All Traces: go.com cookie
19:06: Quarantining All Traces: go2net.com cookie
19:06: Quarantining All Traces: goclick cookie
19:06: Quarantining All Traces: hbmediapro cookie
19:06: Quarantining All Traces: herfirstlesbiansex cookie
19:06: Quarantining All Traces: hotbar cookie
19:06: Quarantining All Traces: imlive.com cookie
19:06: Quarantining All Traces: infospace cookie
19:06: Quarantining All Traces: megago cookie
19:06: Quarantining All Traces: moviemonster cookie
19:06: Quarantining All Traces: myaffiliateprogram.com cookie
19:06: Quarantining All Traces: nextag cookie
19:06: Quarantining All Traces: offeroptimizer cookie
19:06: Quarantining All Traces: partypoker cookie
19:06: Quarantining All Traces: paypopup cookie
19:06: Quarantining All Traces: pricegrabber cookie
19:06: Quarantining All Traces: reliablestats cookie
19:06: Quarantining All Traces: reunion cookie
19:06: Quarantining All Traces: rn11 cookie
19:06: Quarantining All Traces: screensavers.com cookie
19:06: Quarantining All Traces: seeq cookie
19:06: Quarantining All Traces: serving-sys cookie
19:06: Quarantining All Traces: servlet cookie
19:06: Quarantining All Traces: sex cookie
19:06: Quarantining All Traces: specificclick.com cookie
19:06: Quarantining All Traces: starware.com cookie
19:06: Quarantining All Traces: statcounter cookie
19:06: Quarantining All Traces: teensforcash cookie
19:06: Quarantining All Traces: tickle cookie
19:06: Quarantining All Traces: toplist cookie
19:06: Quarantining All Traces: touchclarity cookie
19:06: Quarantining All Traces: tracking cookie
19:06: Quarantining All Traces: tribalfusion cookie
19:06: Quarantining All Traces: webpower cookie
19:06: Quarantining All Traces: websponsors cookie
19:06: Quarantining All Traces: web-stat cookie
19:06: Quarantining All Traces: webtrendslive cookie
19:06: Quarantining All Traces: xiti cookie
19:06: Quarantining All Traces: yieldmanager cookie
19:06: Quarantining All Traces: zango cookie
19:08: Removal process completed. Elapsed time 00:05:48
********
16:25: | Start of Session, 14 January 2006 |
16:25: Spy Sweeper started
16:25: Sweep initiated using definitions version 601
16:25: Sweep Canceled
16:25: Traces Found: 0
16:26: | End of Session, 14 January 2006 |
********
16:22: | Start of Session, 14 January 2006 |
16:22: Spy Sweeper started
16:24: Your spyware definitions have been updated.
16:25: | End of Session, 14 January 2006 |

(continues into next post...)
 

new_horizon

Thread Starter
Joined
Jan 14, 2006
Messages
32
And from hi-jack this...

Logfile of HijackThis v1.99.1
Scan saved at 19:12:41, on 14/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Tiny Disk\Tiny Disk\TinyMon.exe
C:\Program Files\Tiny Disk\Tiny Disk\USBTD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LSASS.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mark\My Documents\Programs\eMule0.46c\emule.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\Mark\LOCALS~1\Temp\Temporary Directory 2 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\Tiny Disk\Tiny Disk\TinyMon.exe
O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\Tiny Disk\Tiny Disk\USBTD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1107470535890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130694459187
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{90D260D6-4952-460A-BD3F-4D68B068B905}: NameServer = 195.92.195.94 195.92.195.95
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\o6480ghue6480.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks for your help, I appreciate it
 
Joined
Sep 7, 2004
Messages
49,014
You did not extract HiJack as I asked and until HIJack is in a permanent location we cannot run the fixes for your safety - please run another log from the new location
 

new_horizon

Thread Starter
Joined
Jan 14, 2006
Messages
32
Apologies, here is the new hijack this after saving to C:\Programfiles...
Logfile of HijackThis v1.99.1
Scan saved at 22:01:42, on 14/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Tiny Disk\Tiny Disk\TinyMon.exe
C:\Program Files\Tiny Disk\Tiny Disk\USBTD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LSASS.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Documents and Settings\Mark\My Documents\Programs\eMule0.46c\emule.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Macromedia\Fireworks 4\Fireworks 4.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\Tiny Disk\Tiny Disk\TinyMon.exe
O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\Tiny Disk\Tiny Disk\USBTD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1107470535890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130694459187
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{90D260D6-4952-460A-BD3F-4D68B068B905}: NameServer = 195.92.195.94 195.92.195.95
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\o6480ghue6480.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
 
Joined
Sep 7, 2004
Messages
49,014
I will suggest that you remove Emule and any other P2P programs you have as they are the likely source of infections and in many cases are illegal

Fix these with HJT – mark them, close IE, click fix checked

O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\o6480ghue6480.dll (file missing)

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
 

new_horizon

Thread Starter
Joined
Jan 14, 2006
Messages
32
Ok here is the new log...

Logfile of HijackThis v1.99.1
Scan saved at 23:30:57, on 14/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Tiny Disk\Tiny Disk\TinyMon.exe
C:\Program Files\Tiny Disk\Tiny Disk\USBTD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [UFD Monitor] C:\Program Files\Tiny Disk\Tiny Disk\TinyMon.exe
O4 - HKLM\..\Run: [UFD Utility] C:\Program Files\Tiny Disk\Tiny Disk\USBTD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1107470535890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130694459187
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{90D260D6-4952-460A-BD3F-4D68B068B905}: NameServer = 195.92.195.95 195.92.195.94
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
 

new_horizon

Thread Starter
Joined
Jan 14, 2006
Messages
32
Well all seems fine, but will just have to wait and see if Norton continues working...PC is a bit slow, but that's probably down to the crap my sisters download!

Thanks for your help, I will let you know
 

new_horizon

Thread Starter
Joined
Jan 14, 2006
Messages
32
Nope, no luck, Norton will not work as it is asking for activation (although I've clarified that the product has been activated several times with their stupid phone assistants) and my PC will not respond when I try to activate. I know that the virus has entered values into my host file, preventing me from getting to the websites, but I am unable to locate my host file via the C:\Windows\System32\Drivers\etc folder. I have read that some computers dont even have a host file, so how can it be that my host file is the problem!?

Very frustrated.
 

new_horizon

Thread Starter
Joined
Jan 14, 2006
Messages
32
Well the host file being reset worked originally but the pest reloads all the anti-virus sites back into the hosts file after a restart. The Sweeper is saying that the process crss.lnk is running each time I start the pc....this is a difficult one
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top