Hijack this log
hey guys...i got some "yousendit" link virus or somehting like that. Figured I had better post a log...i took out whatever i could from that sticky, but hte 023's that are still in it won't delete for some reason.
Logfile of HijackThis v1.99.1
Scan saved at 3:52:21 PM, on 12/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\csrvs.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\DIGStream\digstream.exe
C:\windows\adtech2006.exe
C:\WINDOWS\system32\igps.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\pgws.exe
C:\Program Files\aim\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\MA111v2 USB Adapter\MA111v2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Frank\Desktop\Download\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bostondirtdogs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\Program Files\QL\qlink32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006.exe
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKLM\..\Run: [002k0cho.dll] RUNDLL32.EXE 002k0cho.dll,b 262766750
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111v2 USB Adapter\MA111v2.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\Program Files\QL\qlink32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Secure HTTP (Service Secured) - Unknown owner - C:\WINDOWS\csrvs.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Thanks for everything guys!
Logfile of HijackThis v1.99.1
Scan saved at 3:52:21 PM, on 12/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\csrvs.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\DIGStream\digstream.exe
C:\windows\adtech2006.exe
C:\WINDOWS\system32\igps.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\pgws.exe
C:\Program Files\aim\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\MA111v2 USB Adapter\MA111v2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Frank\Desktop\Download\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bostondirtdogs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\Program Files\QL\qlink32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006.exe
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKLM\..\Run: [002k0cho.dll] RUNDLL32.EXE 002k0cho.dll,b 262766750
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111v2 USB Adapter\MA111v2.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\Program Files\QL\qlink32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Secure HTTP (Service Secured) - Unknown owner - C:\WINDOWS\csrvs.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Thanks for everything guys!
0
Comments
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2006] C:\windows\adtech2006.exe
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKLM\..\Run: [002k0cho.dll] RUNDLL32.EXE 002k0cho.dll,b 262766750
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\Program Files\QL\qlink32.dll
Fix those entries then find and delete the following files:
C:\Program Files\QL\qlink32.dll
C:\windows\timessquare.exe
C:\windows\adtech2006.exe
C:\WINDOWS\system32\igps.exe
002k0cho.dll
Then reboot your computer and post a new log.
Scan saved at 10:55:29 PM, on 12/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\aim\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\NETGEAR\MA111v2 USB Adapter\MA111v2.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Frank\Desktop\Download\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bostondirtdogs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111v2 USB Adapter\MA111v2.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Secure HTTP (Service Secured) - Unknown owner - C:\WINDOWS\csrvs.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Thanks a million
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
Fix those entries then delete this file:
C:\WINDOWS\system32\igps.exe
Then reboot and post a new log.
Logfile of HijackThis v1.99.1
Scan saved at 1:51:15 AM, on 12/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\aim\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\MA111v2 USB Adapter\MA111v2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Frank\Desktop\Download\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bostondirtdogs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111v2 USB Adapter\MA111v2.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Secure HTTP (Service Secured) - Unknown owner - C:\WINDOWS\csrvs.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
http://www.pandasoftware.com/products/activescan.htm
Run the free virus scan at that URL and post the log here.
Incident Status Location
Spyware:spyware/apropos Not disinfected C:\contextplus.exe
Adware:Adware/WinAD Not disinfected C:\Documents and Settings\Frank\Desktop\Download\hijackthis\backups\backup-20051118-002824-854.dll
Adware:adware/sahagent Not disinfected C:\Documents and Settings\Frank\Local Settings\Temp\cdt1004.sah
Adware:adware/dyfuca Not disinfected C:\Documents and Settings\Frank\Local Settings\Temp\cfout.txt
Adware:Adware/nCase Not disinfected C:\Documents and Settings\Frank\Local Settings\Temp\Del1B.tmp
Adware:Adware/nCase Not disinfected C:\Documents and Settings\Frank\Local Settings\Temp\res1C.tmp
Adware:adware/ist.istbar Not disinfected C:\Documents and Settings\Frank\Local Settings\Temp\shortcuts.txt
Adware:Adware/Dyfuca Not disinfected C:\Documents and Settings\Frank\Local Settings\Temp\temp.fr89C2\actalert.exe
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C5BBC4VD\stub_113_4_0_4_0[1].exe
Virus:Trj/Downloader.GPB Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DG63XPQ5\ltndmain[1].dll
Adware:Adware/ISearch Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DG63XPQ5\mte3ndi6odoxng[1].exe
Adware:Adware/CommAd Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DG63XPQ5\timessquare[1].exe
Adware:Adware/Ucmore Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\H0OVLAYW\drsmartload[1].exe
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\H0OVLAYW\installer[1].exe
Adware:Adware/Ucmore Not disinfected C:\drsmartload1.exe
Adware:Adware/Look2Me Not disinfected C:\installer.exe
Adware:Adware/ISearch Not disinfected C:\mte3ndi6odoxng.exe
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\zzrf\zzrfa.exe
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\zzrf\zzrfd\zzrfc.dll
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\zzrf\zzrfl.exe
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\zzrf\zzrfm.exe
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\zzrf\zzrfp.exe
Adware:Adware/Sqwire Not disinfected C:\stub_113_4_0_4_0.exe
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\Downloaded Program Files\setup4002b.ini
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\drsmartload.dat
Virus:Trj/Downloader.GPB Not disinfected C:\WINDOWS\system32\002k3slc.dll
Adware:Adware/Sqwire Not disinfected C:\WINDOWS\system32\tsuninst.exe
Adware:Adware/Sqwire Not disinfected C:\WINDOWS\temp\tsinstall_4_0_4_0_b4.exe
C:\contextplus.exe
C:\drsmartload1.exe
C:\installer.exe
C:\mte3ndi6odoxng.exe
C:\stub_113_4_0_4_0.exe
C:\WINDOWS\Downloaded Program Files\setup4002b.ini
C:\WINDOWS\drsmartload.dat
C:\WINDOWS\system32\002k3slc.dll
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\temp\tsinstall_4_0_4_0_b4.exe
And the bold folder:
C:\Program Files\Common Files\zzrf\
Then boot back into Normal Mode and post a new Panda Activescan log.
Incident Status Location
Adware:Adware/WinAD Not disinfected C:\Documents and Settings\Frank\Desktop\Download\hijackthis\backups\backup-20051118-002824-854.dll
Adware:adware/sahagent Not disinfected C:\Documents and Settings\Frank\Local Settings\Temp\cdt1004.sah
Adware:adware/dyfuca Not disinfected C:\Documents and Settings\Frank\Local Settings\Temp\cfout.txt
Adware:Adware/nCase Not disinfected C:\Documents and Settings\Frank\Local Settings\Temp\Del1B.tmp
Adware:Adware/nCase Not disinfected C:\Documents and Settings\Frank\Local Settings\Temp\res1C.tmp
Adware:adware/ist.istbar Not disinfected C:\Documents and Settings\Frank\Local Settings\Temp\shortcuts.txt
Adware:Adware/Dyfuca Not disinfected C:\Documents and Settings\Frank\Local Settings\Temp\temp.fr89C2\actalert.exe
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C5BBC4VD\stub_113_4_0_4_0[1].exe
Virus:Trj/Downloader.GPB Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DG63XPQ5\ltndmain[1].dll
Adware:Adware/ISearch Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DG63XPQ5\mte3ndi6odoxng[1].exe
Adware:Adware/CommAd Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DG63XPQ5\timessquare[1].exe
Adware:Adware/Ucmore Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\H0OVLAYW\drsmartload[1].exe
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\H0OVLAYW\installer[1].exe
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\Downloaded Program Files\setup4002b.ini
C:\Documents and Settings\Frank\Local Settings\Temp\
Delete any .exe, .tmp, or .txt files in there.
Next, open up Internet Explorer, and go to Tools»Internet Options. Look for the "Temporary Internet Options" section on the first tab, and click "Clear Temporary Internet Files.
Now browse to where you installed HijackThis and delete all backups there. Finally, if you can find it, delete this file: C:\WINDOWS\Downloaded Program Files\setup4002b.ini. It may have been hidden. Report back with a new log.
Incident Status Location
Adware:adware/sahagent Not disinfected C:\Documents and Settings\Frank\Local Settings\Temp\cdt1004.sah
Adware:Adware/Dyfuca Not disinfected C:\Documents and Settings\Frank\Local Settings\Temp\temp.fr89C2\actalert.exe
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\C5BBC4VD\stub_113_4_0_4_0[1].exe
Virus:Trj/Downloader.GPB Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DG63XPQ5\ltndmain[1].dll
Adware:Adware/ISearch Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DG63XPQ5\mte3ndi6odoxng[1].exe
Adware:Adware/CommAd Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DG63XPQ5\timessquare[1].exe
Adware:Adware/Ucmore Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\H0OVLAYW\drsmartload[1].exe
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\H0OVLAYW\installer[1].exe
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\Downloaded Program Files\setup4002b.ini