Options
Problems removing Home Search Assistant
Hello Dexter -
My home page has been taken over by the Home Search Assistant and Pop-ups are constantly appearing.
What I've done:
- Run the latest updates of Ad Aware, and Spybot
- Completed your 'removal guide' (three times), including the About Buster.
After I fix the bad entries in the HJT Log (in safe mode), they reappear under a different name in the normal mode...very frustrating.
Here is the latest HJT Log:
Logfile of HijackThis v1.97.7
Scan saved at 8:34:24 PM, on 8/22/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\System32\mrtMngr.EXE
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\apioq.exe
C:\WINDOWS\system32\ntxx32.exe
C:\Documents and Settings\Dennis\My Documents\Dennis ******\Programs\Virus Programs\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\byfbq.dll/sp.html#29126
O2 - BHO: (no name) - {9628735E-23FD-B2AE-7639-B629310C3C05} - C:\WINDOWS\netfc.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [PPMemCheck] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ntxx32.exe] C:\WINDOWS\system32\ntxx32.exe
O4 - HKCU\..\Run: [Pop-Up_Scanner] "C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
Your assistance in greatly appreciated!
My home page has been taken over by the Home Search Assistant and Pop-ups are constantly appearing.
What I've done:
- Run the latest updates of Ad Aware, and Spybot
- Completed your 'removal guide' (three times), including the About Buster.
After I fix the bad entries in the HJT Log (in safe mode), they reappear under a different name in the normal mode...very frustrating.
Here is the latest HJT Log:
Logfile of HijackThis v1.97.7
Scan saved at 8:34:24 PM, on 8/22/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\System32\mrtMngr.EXE
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\apioq.exe
C:\WINDOWS\system32\ntxx32.exe
C:\Documents and Settings\Dennis\My Documents\Dennis ******\Programs\Virus Programs\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\byfbq.dll/sp.html#29126
O2 - BHO: (no name) - {9628735E-23FD-B2AE-7639-B629310C3C05} - C:\WINDOWS\netfc.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [PPMemCheck] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ntxx32.exe] C:\WINDOWS\system32\ntxx32.exe
O4 - HKCU\..\Run: [Pop-Up_Scanner] "C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
Your assistance in greatly appreciated!
0
Comments
Not sure where to go next.
My home page has been taken over by the Home Search Assistant and Pop-ups are constantly appearing.
What I've done:
- Run the latest updates of Ad Aware, and Spybot
- Completed your 'removal guide' (three times), including the About Buster
- Run the latest version of CWShredder 1.59.0.1 and it comes up clean
After I fix the bad entries in the HJT Log (in safe mode), they reappear in the normal mode.
Here is the latest Log:
Logfile of HijackThis v1.97.7
Scan saved at 8:34:24 PM, on 8/22/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PEST PA~1\PPMemCheck.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PEST PA~1\PPControl.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PEST PA~1\CookiePatrol.exe
C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\System32\mrtMngr.EXE
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\apioq.exe
C:\WINDOWS\system32\ntxx32.exe
C:\Documents and Settings\Dennis\My Documents\Dennis Prechtel\Programs\Virus Programs\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about_:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\byfbq.dll/sp.html#29126
O2 - BHO: (no name) - {9628735E-23FD-B2AE-7639-B629310C3C05} - C:\WINDOWS\netfc.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [PPMemCheck] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PEST PA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PEST PA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PEST PA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ntxx32.exe] C:\WINDOWS\system32\ntxx32.exe
O4 - HKCU\..\Run: [Pop-Up_Scanner] "C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
In the middle of a big project and need my PC…Your assistance in greatly appreciated!
Thank you
Dexter...
These are the Current Active Services:
Network Security Service (NSS): O??’ŽrtñåȲ$Ó
C:\WINDOWS\system32\apioq.exe /s
Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs
Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs
Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs
Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs
Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
Server: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs
Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs
Remote Access Auto Connection Manager: RasAuto
C:\WINDOWS\System32\svchost.exe -k netsvcs
Remote Access Connection Manager: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs
Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs
Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs
System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs
Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs
System Restore Service: srservice
C:\WINDOWS\System32\svchost.exe -k netsvcs
Telephony: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Terminal Services: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs
Themes: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs
Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs
Upload Manager: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs
Windows Time: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs
Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs
Portable Media Serial Number: WmdmPmSp
C:\WINDOWS\System32\svchost.exe -k netsvcs
Automatic Updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs
Wireless Zero Configuration: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs
AVG6 Service: AvgServ
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService
Event Log: Eventlog
C:\WINDOWS\system32\services.exe
Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe
iPodSrv: iPodSrv
C:\Program Files\iPod\Bin\iPodSrv.exe
TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService
SSDP Discovery Service: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService
WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService
IPSEC Services: PolicyAgent
C:\WINDOWS\System32\lsass.exe
Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe
Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe
Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss
Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe
Windows Image Acquisition (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc
VAIO Media Music Server (Application): VAIOMediaPlatform-MusicServer-AppServer
"C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application)"
VAIO Media Music Server (HTTP): VAIOMediaPlatform-MusicServer-HTTP
"C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP"
VAIO Media Music Server (UPnP): VAIOMediaPlatform-MusicServer-UPnP
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
VAIO Media Photo Server (Application): VAIOMediaPlatform-PhotoServer-AppServer
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
VAIO Media Photo Server (HTTP): VAIOMediaPlatform-PhotoServer-HTTP
"C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP"
VAIO Media Photo Server (UPnP): VAIOMediaPlatform-PhotoServer-UPnP
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
WAN Miniport (ATW) Service: WANMiniportService
"C:\WINDOWS\wanmpsvc.exe"
Network Security Service (NSS): O??’ŽrtñåȲ$Ó
C:\WINDOWS\system32\apioq.exe /s
Do Step 6 of the removal guide in NORMAL MODE to stop that service and disable it. Then hard boot to safe mode, and continue on from Step 7 to clean up the files.
Let me know if that helps.
Dexter...
I have responded to your email request - turn out OK?
I completed the steps above and then the ‘Removal Guide’ instructions from step 7 on, however when I returned to normal mode the problem still exists (almost as if I did nothing?!). Here is the latest HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 8:24:54 PM, on 8/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\WINDOWS\system32\apioq.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\mfcen.exe
C:\WINDOWS\System32\wuauclt.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Dennis\My Documents\Dennis Prechtel\Programs\Virus Programs\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\byfbq.dll/sp.html#29126
O2 - BHO: (no name) - {9628735E-23FD-B2AE-7639-B629310C3C05} - C:\WINDOWS\netfc.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [PPMemCheck] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ntxx32.exe] C:\WINDOWS\system32\ntxx32.exe
O4 - HKLM\..\Run: [mfcen.exe] C:\WINDOWS\mfcen.exe
O4 - HKCU\..\Run: [Pop-Up_Scanner] "C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
These are the Current Active Services:
Network Security Service (NSS): O??’ŽrtñåȲ$Ó
C:\WINDOWS\system32\apioq.exe /s
Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs
Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs
Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs
Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs
Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
Server: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs
Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs
Remote Access Auto Connection Manager: RasAuto
C:\WINDOWS\System32\svchost.exe -k netsvcs
Remote Access Connection Manager: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs
Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs
Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs
System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs
Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs
Telephony: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Terminal Services: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs
Themes: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs
Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs
Upload Manager: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs
Windows Time: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs
Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs
Portable Media Serial Number: WmdmPmSp
C:\WINDOWS\System32\svchost.exe -k netsvcs
Automatic Updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs
Wireless Zero Configuration: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs
AVG6 Service: AvgServ
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService
Event Log: Eventlog
C:\WINDOWS\system32\services.exe
Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe
iPodSrv: iPodSrv
C:\Program Files\iPod\Bin\iPodSrv.exe
TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService
SSDP Discovery Service: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService
WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService
IPSEC Services: PolicyAgent
C:\WINDOWS\System32\lsass.exe
Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe
Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe
Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss
Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe
Windows Image Acquisition (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc
VAIO Media Music Server (Application): VAIOMediaPlatform-MusicServer-AppServer
"C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application)"
VAIO Media Music Server (HTTP): VAIOMediaPlatform-MusicServer-HTTP
"C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP"
VAIO Media Music Server (UPnP): VAIOMediaPlatform-MusicServer-UPnP
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
VAIO Media Photo Server (Application): VAIOMediaPlatform-PhotoServer-AppServer
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
VAIO Media Photo Server (HTTP): VAIOMediaPlatform-PhotoServer-HTTP
"C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP"
VAIO Media Photo Server (UPnP): VAIOMediaPlatform-PhotoServer-UPnP
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
WAN Miniport (ATW) Service: WANMiniportService
"C:\WINDOWS\wanmpsvc.exe"
I see that service still running in your reply here, so you must not have done that step. You need to stop and disable that service, otherwise you will not get anywhere.
Dexter...
I'm not Dexter (not even close), but here are your problem entries, in case you missed one or more:
C:\WINDOWS\system32\apioq.exe
C:\WINDOWS\system32\ntxx32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about_:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\byfbq.dll/sp.html#29126
O2 - BHO: (no name) - {9628735E-23FD-B2AE-7639-B629310C3C05} - C:\WINDOWS\netfc.dll
O4 - HKLM\..\Run: [ntxx32.exe] C:\WINDOWS\system32\ntxx32.exe
If your attempts to destroy all the above using Dexter's system fails, post a new HJT log and we'll take another look.
Thanks -
Here is the latest HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 7:19:02 PM, on 8/24/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\mfcen.exe
C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Q309056.log:hhrkh
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\System32\mrtMngr.EXE
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Documents and Settings\Dennis\My Documents\Dennis Prechtel\Programs\Virus Programs\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\byfbq.dll/sp.html#29126
O2 - BHO: (no name) - {37FF69E5-CDC6-0B84-C167-6FB0367621ED} - C:\WINDOWS\system32\ntgl.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [PPMemCheck] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ntxx32.exe] C:\WINDOWS\system32\ntxx32.exe
O4 - HKLM\..\Run: [mfcen.exe] C:\WINDOWS\mfcen.exe
O4 - HKCU\..\Run: [Pop-Up_Scanner] "C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [hhrkh] C:\WINDOWS\Q309056.log:hhrkh
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
hese are the Current Active Services:
Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs
Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs
Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs
Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs
Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
Server: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs
Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs
Remote Access Auto Connection Manager: RasAuto
C:\WINDOWS\System32\svchost.exe -k netsvcs
Remote Access Connection Manager: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs
Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs
Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs
System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs
Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs
System Restore Service: srservice
C:\WINDOWS\System32\svchost.exe -k netsvcs
Telephony: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Terminal Services: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs
Themes: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs
Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs
Upload Manager: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs
Windows Time: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs
Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs
Portable Media Serial Number: WmdmPmSp
C:\WINDOWS\System32\svchost.exe -k netsvcs
Automatic Updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs
Wireless Zero Configuration: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs
AVG6 Service: AvgServ
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService
Event Log: Eventlog
C:\WINDOWS\system32\services.exe
Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe
iPodSrv: iPodSrv
C:\Program Files\iPod\Bin\iPodSrv.exe
TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService
SSDP Discovery Service: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService
WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService
IPSEC Services: PolicyAgent
C:\WINDOWS\System32\lsass.exe
Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe
Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe
Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss
Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe
Windows Image Acquisition (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc
VAIO Media Music Server (Application): VAIOMediaPlatform-MusicServer-AppServer
"C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application)"
VAIO Media Music Server (HTTP): VAIOMediaPlatform-MusicServer-HTTP
"C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP"
VAIO Media Music Server (UPnP): VAIOMediaPlatform-MusicServer-UPnP
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
VAIO Media Photo Server (Application): VAIOMediaPlatform-PhotoServer-AppServer
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
VAIO Media Photo Server (HTTP): VAIOMediaPlatform-PhotoServer-HTTP
"C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP"
VAIO Media Photo Server (UPnP): VAIOMediaPlatform-PhotoServer-UPnP
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
WAN Miniport (ATW) Service: WANMiniportService
"C:\WINDOWS\wanmpsvc.exe"
Here is the latest HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 7:19:02 PM, on 8/24/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\mfcen.exe
C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Q309056.log:hhrkh
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\System32\mrtMngr.EXE
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Documents and Settings\Dennis\My Documents\Dennis Prechtel\Programs\Virus Programs\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\byfbq.dll/sp.html#29126
O2 - BHO: (no name) - {37FF69E5-CDC6-0B84-C167-6FB0367621ED} - C:\WINDOWS\system32\ntgl.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [PPMemCheck] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ntxx32.exe] C:\WINDOWS\system32\ntxx32.exe
O4 - HKLM\..\Run: [mfcen.exe] C:\WINDOWS\mfcen.exe
O4 - HKCU\..\Run: [Pop-Up_Scanner] "C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [hhrkh] C:\WINDOWS\Q309056.log:hhrkh
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
hese are the Current Active Services:
Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs
Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs
Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs
Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs
Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
Server: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs
Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs
Remote Access Auto Connection Manager: RasAuto
C:\WINDOWS\System32\svchost.exe -k netsvcs
Remote Access Connection Manager: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs
Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs
Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs
System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs
Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs
System Restore Service: srservice
C:\WINDOWS\System32\svchost.exe -k netsvcs
Telephony: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Terminal Services: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs
Themes: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs
Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs
Upload Manager: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs
Windows Time: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs
Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs
Portable Media Serial Number: WmdmPmSp
C:\WINDOWS\System32\svchost.exe -k netsvcs
Automatic Updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs
Wireless Zero Configuration: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs
AVG6 Service: AvgServ
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService
Event Log: Eventlog
C:\WINDOWS\system32\services.exe
Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe
iPodSrv: iPodSrv
C:\Program Files\iPod\Bin\iPodSrv.exe
TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService
SSDP Discovery Service: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService
WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService
IPSEC Services: PolicyAgent
C:\WINDOWS\System32\lsass.exe
Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe
Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe
Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss
Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe
Windows Image Acquisition (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc
VAIO Media Music Server (Application): VAIOMediaPlatform-MusicServer-AppServer
"C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application)"
VAIO Media Music Server (HTTP): VAIOMediaPlatform-MusicServer-HTTP
"C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP"
VAIO Media Music Server (UPnP): VAIOMediaPlatform-MusicServer-UPnP
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
VAIO Media Photo Server (Application): VAIOMediaPlatform-PhotoServer-AppServer
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
VAIO Media Photo Server (HTTP): VAIOMediaPlatform-PhotoServer-HTTP
"C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP"
VAIO Media Photo Server (UPnP): VAIOMediaPlatform-PhotoServer-UPnP
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
WAN Miniport (ATW) Service: WANMiniportService
"C:\WINDOWS\wanmpsvc.exe"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\byfbq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\byfbq.dll/sp.html#29126
O2 - BHO: (no name) - {37FF69E5-CDC6-0B84-C167-6FB0367621ED} - C:\WINDOWS\system32\ntgl.dll
O4 - HKLM\..\Run: [ntxx32.exe] C:\WINDOWS\system32\ntxx32.exe
O4 - HKLM\..\Run: [mfcen.exe] C:\WINDOWS\mfcen.exe
Quarantine those dll and exe files. Hard boot normally, check it out, and come back to post a fresh log for review.
Dexter...
I've done as instructed and the HSA seems to have disappeared! Thanks!
However...the pop-ups persist, and everytime I run the Spybot it cleans up these three files:
Avenue A. inc
Double Click
DSO Exploit
There must be something still running that is attracting these Ads. Here is my latest log:
Logfile of HijackThis v1.97.7
Scan saved at 6:12:35 PM, on 8/26/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Dennis\Application Data\iptl.exe
C:\WINDOWS\System32\ymkoo.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\System32\mrtMngr.EXE
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dennis\My Documents\Dennis Prechtel\Programs\Virus Programs\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
O2 - BHO: (no name) - {3DFB6702-BC47-4EC3-D30E-15557EAA7367} - C:\WINDOWS\System32\adymlxwz.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [PPMemCheck] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [Pop-Up_Scanner] "C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Iinl] C:\Documents and Settings\Dennis\Application Data\iptl.exe
O4 - HKCU\..\Run: [Rttqymtn] C:\WINDOWS\System32\ymkoo.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
These are the Current Active Services:
Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs
Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs
Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs
Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs
Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
Server: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs
Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs
Remote Access Auto Connection Manager: RasAuto
C:\WINDOWS\System32\svchost.exe -k netsvcs
Remote Access Connection Manager: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs
Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs
Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs
System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs
Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs
System Restore Service: srservice
C:\WINDOWS\System32\svchost.exe -k netsvcs
Telephony: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Terminal Services: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs
Themes: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs
Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs
Upload Manager: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs
Windows Time: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs
Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs
Portable Media Serial Number: WmdmPmSp
C:\WINDOWS\System32\svchost.exe -k netsvcs
Automatic Updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs
Wireless Zero Configuration: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs
AVG6 Service: AvgServ
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService
Event Log: Eventlog
C:\WINDOWS\system32\services.exe
Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe
iPodSrv: iPodSrv
C:\Program Files\iPod\Bin\iPodSrv.exe
TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService
SSDP Discovery Service: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService
WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService
IPSEC Services: PolicyAgent
C:\WINDOWS\System32\lsass.exe
Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe
Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe
Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss
Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe
Windows Image Acquisition (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc
VAIO Media Music Server (Application): VAIOMediaPlatform-MusicServer-AppServer
"C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application)"
VAIO Media Music Server (HTTP): VAIOMediaPlatform-MusicServer-HTTP
"C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP"
VAIO Media Music Server (UPnP): VAIOMediaPlatform-MusicServer-UPnP
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
VAIO Media Photo Server (Application): VAIOMediaPlatform-PhotoServer-AppServer
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
VAIO Media Photo Server (HTTP): VAIOMediaPlatform-PhotoServer-HTTP
"C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP"
VAIO Media Photo Server (UPnP): VAIOMediaPlatform-PhotoServer-UPnP
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
WAN Miniport (ATW) Service: WANMiniportService
"C:\WINDOWS\wanmpsvc.exe"
O2 - BHO: (no name) - {3DFB6702-BC47-4EC3-D30E-15557EAA7367} - C:\WINDOWS\System32\adymlxwz.dll
O4 - HKCU\..\Run: [Iinl] C:\Documents and Settings\Dennis\Application Data\iptl.exe
O4 - HKCU\..\Run: [Rttqymtn] C:\WINDOWS\System32\ymkoo.exe
Reboot normally, check things out and let me know. Post another log for review.
Also, make sure to use the immunize feature of Spybot, and also download Spyware Blaster from our downloads are, and use it to further immunize your system.
Dexter...
I still get notices however that 'Double Click' and 'Avenue A' are still trying to download entries on to my PC. What files could be drawing them in?
Thanks for your advice...
Latest HJT Log:
Logfile of HijackThis v1.97.7
Scan saved at 12:58:14 PM, on 8/27/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Dennis\My Documents\Dennis Prechtel\Programs\Virus Programs\Hijackthis\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [PPMemCheck] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\DOCUME~1\Dennis\STARTM~1\Programs\SCANSO~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [Pop-Up_Scanner] "C:\Program Files\Panicware\Pop-Up Scanner\Popupscn.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
These are the Current Active Services:
Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs
Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs
Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs
Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs
Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
Server: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs
Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs
Remote Access Auto Connection Manager: RasAuto
C:\WINDOWS\System32\svchost.exe -k netsvcs
Remote Access Connection Manager: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs
Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs
Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs
System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs
Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs
Telephony: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Terminal Services: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs
Themes: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs
Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs
Upload Manager: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs
Windows Time: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs
Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs
Portable Media Serial Number: WmdmPmSp
C:\WINDOWS\System32\svchost.exe -k netsvcs
Automatic Updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs
Wireless Zero Configuration: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs
AVG6 Service: AvgServ
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService
Event Log: Eventlog
C:\WINDOWS\system32\services.exe
Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe
iPodSrv: iPodSrv
C:\Program Files\iPod\Bin\iPodSrv.exe
TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService
SSDP Discovery Service: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService
WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService
IPSEC Services: PolicyAgent
C:\WINDOWS\System32\lsass.exe
Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe
Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe
Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss
Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe
Windows Image Acquisition (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc
VAIO Media Music Server (Application): VAIOMediaPlatform-MusicServer-AppServer
"C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application)"
VAIO Media Music Server (HTTP): VAIOMediaPlatform-MusicServer-HTTP
"C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP"
VAIO Media Music Server (UPnP): VAIOMediaPlatform-MusicServer-UPnP
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
VAIO Media Photo Server (Application): VAIOMediaPlatform-PhotoServer-AppServer
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
VAIO Media Photo Server (HTTP): VAIOMediaPlatform-PhotoServer-HTTP
"C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP"
VAIO Media Photo Server (UPnP): VAIOMediaPlatform-PhotoServer-UPnP
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
WAN Miniport (ATW) Service: WANMiniportService
"C:\WINDOWS\wanmpsvc.exe"