Options
Post HSA removal
I just recently removed HSA using your guide which was extremly helpful btw .
My new problem is now that after the removal my CPU usage is jumping around like crazy as far as 2% to 95% . I have used Spybot , adaware , Spy Subtract , and a few other malware removal tools . All come up clean . Hijack this comes up with 4 trusted sites that were put there by malware , but no other obvious threats that I see . Also my OS is operating normally other than the CPU usage being out of whack , I have recoeved no errors and have used error checking , defragged , and disk clean-up . So the only thing I can think of is that there is some malware left over using up mem , that or I guess a dos attack which is unlikely . I will post HJT logs , please some assist me . Thanks
Logfile of HijackThis v1.99.0
Scan saved at 12:28:01 AM, on 12/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Rage3DTweak\RegTwk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\rage3dtweak\gameutil.exe
C:\WINDOWS\System32\wuauclt.exe
c:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\America's Army\Sounds\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll (file missing)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O15 - Trusted Zone: http://home.comcast.net
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_1_0.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
Also the ads spy log ....
C:\WINDOWS\aolback.exe.lnk : poees (0 bytes)
C:\WINDOWS\Blue Lace 16.bmp : hoxjm (0 bytes)
C:\WINDOWS\clock.avi : qrkvx (29696 bytes)
C:\WINDOWS\CTCCW.DLL : fatzz (99051 bytes)
C:\WINDOWS\DATA.TCD : kzaib (11591 bytes)
C:\WINDOWS\DEA.ini : bnyzm (0 bytes)
C:\WINDOWS\DEA.ini : qflrb (10752 bytes)
C:\WINDOWS\DellMMKb.exe : akbzg (11591 bytes)
C:\WINDOWS\DellMMKb.exe : jidfj (99039 bytes)
C:\WINDOWS\DellMMKb.exe : vzkod (7305 bytes)
C:\WINDOWS\DELLMMKB.EXE.bak : akbzg (11591 bytes)
C:\WINDOWS\DELLMMKB.EXE.bak : everf (11591 bytes)
C:\WINDOWS\DELLMMKB.EXE.bak : jidfj (98816 bytes)
C:\WINDOWS\DELLWP.BMP : agewd (29696 bytes)
C:\WINDOWS\Digital Signature 20020430.htm : cjoll (10752 bytes)
C:\WINDOWS\Digital Signature 20021007.htm : extra (11591 bytes)
C:\WINDOWS\Digital Signature 20030712.htm : cxgrn (11591 bytes)
C:\WINDOWS\Digital Signature 20030712.htm : kmmju (7305 bytes)
C:\WINDOWS\DirectTVIcon.ico : sneqf (10752 bytes)
C:\WINDOWS\DirectTVIcon.ico : xylxu (7305 bytes)
C:\WINDOWS\DtcInstall.log : dmxpw (3347 bytes)
C:\WINDOWS\DtcInstall.log : hxapd (3347 bytes)
C:\WINDOWS\EPSTPLOG.BAK : rmqef (10752 bytes)
C:\WINDOWS\EPSTPLOG.TXT : cphbb (29696 bytes)
C:\WINDOWS\EPSTPLOG.TXT : hdmot (10752 bytes)
C:\WINDOWS\EPSTPLOG.TXT : nyjkj (7305 bytes)
C:\WINDOWS\EPSTPLOG.TXT : xyhvx (10752 bytes)
C:\WINDOWS\eycja.log : fzbpd (3347 bytes)
C:\WINDOWS\eycja.log : ocdfq (0 bytes)
C:\WINDOWS\eycja.log : qyaar (29696 bytes)
C:\WINDOWS\FaxSetup.log : zefuo (10752 bytes)
C:\WINDOWS\FeatherTexture.bmp : cntxb (29696 bytes)
C:\WINDOWS\fkuii.log : lriko (11591 bytes)
C:\WINDOWS\Greenstone.bmp : draqi (7305 bytes)
C:\WINDOWS\Greenstone.bmp : ffgzr (11591 bytes)
C:\WINDOWS\Greenstone.bmp : rxxzq (29696 bytes)
C:\WINDOWS\hflga.txt : wstdk (3347 bytes)
C:\WINDOWS\imsins.BAK : hwkba (0 bytes)
C:\WINDOWS\IsUninst.exe : aellk (7305 bytes)
C:\WINDOWS\IsUninst.exe : qgjso (7305 bytes)
C:\WINDOWS\jyjec.dat : vlqrq (99051 bytes)
C:\WINDOWS\kwv2.dat : fceam (99051 bytes)
C:\WINDOWS\MIDIDEF(2).EXE : ehbwr (29696 bytes)
C:\WINDOWS\MMKeybd.exe : zvcdk (7305 bytes)
C:\WINDOWS\MMKEYBD.INI : cscuy (11591 bytes)
C:\WINDOWS\msgsocm.log : hvloo (10752 bytes)
C:\WINDOWS\msgsocm.log : wlypi (11591 bytes)
C:\WINDOWS\MSIOSD.INI : afwuu (10752 bytes)
C:\WINDOWS\MSIOSD.INI : cpphd (99051 bytes)
C:\WINDOWS\MSIOSD.INI : ntnfu (3347 bytes)
C:\WINDOWS\MSIOSD.INI : wucst (11591 bytes)
C:\WINDOWS\muninst.exe : uqimf (10752 bytes)
C:\WINDOWS\notepad.exe : dzxis (10752 bytes)
C:\WINDOWS\notepad.exe : hmbie (3347 bytes)
C:\WINDOWS\ntbtlog.txt : waqnu (29696 bytes)
C:\WINDOWS\ntdtcsetup.log : darsk (11591 bytes)
C:\WINDOWS\ntdtcsetup.log : zpyqr (3347 bytes)
C:\WINDOWS\ocmsn.log : xifho (11591 bytes)
C:\WINDOWS\ODBC.INI : kygyd (99051 bytes)
C:\WINDOWS\ODBC.INI : vakxm (7305 bytes)
C:\WINDOWS\OEWABLog.txt : ewlno (99051 bytes)
C:\WINDOWS\orun32.ini : obdch (3347 bytes)
C:\WINDOWS\orun32.isu : ptsah (98816 bytes)
C:\WINDOWS\PowerReg.dat : xxdai (0 bytes)
C:\WINDOWS\qsveu.txt : anvse (10752 bytes)
C:\WINDOWS\regopt.log : ruxuk (99051 bytes)
C:\WINDOWS\rtcwgoty.INI : kvqzm (10752 bytes)
C:\WINDOWS\sejdm.dll : vtvox (0 bytes)
C:\WINDOWS\setdebug.exe : jsvyu (29696 bytes)
C:\WINDOWS\setupact.log : lfhbe (29696 bytes)
C:\WINDOWS\setupapi.log : gbmuh (10752 bytes)
C:\WINDOWS\setupapi.log : waqld (10752 bytes)
C:\WINDOWS\slrundll.exe : obarx (29696 bytes)
C:\WINDOWS\slrundll.exe : ybfaj (29696 bytes)
C:\WINDOWS\taskman.exe : yewhb (10752 bytes)
C:\WINDOWS\tsnbw.dll : repnv (29696 bytes)
C:\WINDOWS\uninst.exe : ugafs (11591 bytes)
C:\WINDOWS\VBADDIN.INI : fhdqo (7305 bytes)
C:\WINDOWS\wiadebug.log : xiwvq (3347 bytes)
C:\WINDOWS\WindowsUpdate.log : lnngi (10752 bytes)
C:\WINDOWS\WindowsUpdate.log : yegmg (0 bytes)
C:\WINDOWS\winhlp32.exe : qfzzi (0 bytes)
C:\WINDOWS\wininit.ini : dfylc (29696 bytes)
C:\WINDOWS\WINNT.BMP : ruxhy (10752 bytes)
C:\WINDOWS\wmsetup10.log : motzv (10752 bytes)
C:\WINDOWS\wupdsnff.exe : cnaav (29696 bytes)
My new problem is now that after the removal my CPU usage is jumping around like crazy as far as 2% to 95% . I have used Spybot , adaware , Spy Subtract , and a few other malware removal tools . All come up clean . Hijack this comes up with 4 trusted sites that were put there by malware , but no other obvious threats that I see . Also my OS is operating normally other than the CPU usage being out of whack , I have recoeved no errors and have used error checking , defragged , and disk clean-up . So the only thing I can think of is that there is some malware left over using up mem , that or I guess a dos attack which is unlikely . I will post HJT logs , please some assist me . Thanks
Logfile of HijackThis v1.99.0
Scan saved at 12:28:01 AM, on 12/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Rage3DTweak\RegTwk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\rage3dtweak\gameutil.exe
C:\WINDOWS\System32\wuauclt.exe
c:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\America's Army\Sounds\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll (file missing)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O15 - Trusted Zone: http://home.comcast.net
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_1_0.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
Also the ads spy log ....
C:\WINDOWS\aolback.exe.lnk : poees (0 bytes)
C:\WINDOWS\Blue Lace 16.bmp : hoxjm (0 bytes)
C:\WINDOWS\clock.avi : qrkvx (29696 bytes)
C:\WINDOWS\CTCCW.DLL : fatzz (99051 bytes)
C:\WINDOWS\DATA.TCD : kzaib (11591 bytes)
C:\WINDOWS\DEA.ini : bnyzm (0 bytes)
C:\WINDOWS\DEA.ini : qflrb (10752 bytes)
C:\WINDOWS\DellMMKb.exe : akbzg (11591 bytes)
C:\WINDOWS\DellMMKb.exe : jidfj (99039 bytes)
C:\WINDOWS\DellMMKb.exe : vzkod (7305 bytes)
C:\WINDOWS\DELLMMKB.EXE.bak : akbzg (11591 bytes)
C:\WINDOWS\DELLMMKB.EXE.bak : everf (11591 bytes)
C:\WINDOWS\DELLMMKB.EXE.bak : jidfj (98816 bytes)
C:\WINDOWS\DELLWP.BMP : agewd (29696 bytes)
C:\WINDOWS\Digital Signature 20020430.htm : cjoll (10752 bytes)
C:\WINDOWS\Digital Signature 20021007.htm : extra (11591 bytes)
C:\WINDOWS\Digital Signature 20030712.htm : cxgrn (11591 bytes)
C:\WINDOWS\Digital Signature 20030712.htm : kmmju (7305 bytes)
C:\WINDOWS\DirectTVIcon.ico : sneqf (10752 bytes)
C:\WINDOWS\DirectTVIcon.ico : xylxu (7305 bytes)
C:\WINDOWS\DtcInstall.log : dmxpw (3347 bytes)
C:\WINDOWS\DtcInstall.log : hxapd (3347 bytes)
C:\WINDOWS\EPSTPLOG.BAK : rmqef (10752 bytes)
C:\WINDOWS\EPSTPLOG.TXT : cphbb (29696 bytes)
C:\WINDOWS\EPSTPLOG.TXT : hdmot (10752 bytes)
C:\WINDOWS\EPSTPLOG.TXT : nyjkj (7305 bytes)
C:\WINDOWS\EPSTPLOG.TXT : xyhvx (10752 bytes)
C:\WINDOWS\eycja.log : fzbpd (3347 bytes)
C:\WINDOWS\eycja.log : ocdfq (0 bytes)
C:\WINDOWS\eycja.log : qyaar (29696 bytes)
C:\WINDOWS\FaxSetup.log : zefuo (10752 bytes)
C:\WINDOWS\FeatherTexture.bmp : cntxb (29696 bytes)
C:\WINDOWS\fkuii.log : lriko (11591 bytes)
C:\WINDOWS\Greenstone.bmp : draqi (7305 bytes)
C:\WINDOWS\Greenstone.bmp : ffgzr (11591 bytes)
C:\WINDOWS\Greenstone.bmp : rxxzq (29696 bytes)
C:\WINDOWS\hflga.txt : wstdk (3347 bytes)
C:\WINDOWS\imsins.BAK : hwkba (0 bytes)
C:\WINDOWS\IsUninst.exe : aellk (7305 bytes)
C:\WINDOWS\IsUninst.exe : qgjso (7305 bytes)
C:\WINDOWS\jyjec.dat : vlqrq (99051 bytes)
C:\WINDOWS\kwv2.dat : fceam (99051 bytes)
C:\WINDOWS\MIDIDEF(2).EXE : ehbwr (29696 bytes)
C:\WINDOWS\MMKeybd.exe : zvcdk (7305 bytes)
C:\WINDOWS\MMKEYBD.INI : cscuy (11591 bytes)
C:\WINDOWS\msgsocm.log : hvloo (10752 bytes)
C:\WINDOWS\msgsocm.log : wlypi (11591 bytes)
C:\WINDOWS\MSIOSD.INI : afwuu (10752 bytes)
C:\WINDOWS\MSIOSD.INI : cpphd (99051 bytes)
C:\WINDOWS\MSIOSD.INI : ntnfu (3347 bytes)
C:\WINDOWS\MSIOSD.INI : wucst (11591 bytes)
C:\WINDOWS\muninst.exe : uqimf (10752 bytes)
C:\WINDOWS\notepad.exe : dzxis (10752 bytes)
C:\WINDOWS\notepad.exe : hmbie (3347 bytes)
C:\WINDOWS\ntbtlog.txt : waqnu (29696 bytes)
C:\WINDOWS\ntdtcsetup.log : darsk (11591 bytes)
C:\WINDOWS\ntdtcsetup.log : zpyqr (3347 bytes)
C:\WINDOWS\ocmsn.log : xifho (11591 bytes)
C:\WINDOWS\ODBC.INI : kygyd (99051 bytes)
C:\WINDOWS\ODBC.INI : vakxm (7305 bytes)
C:\WINDOWS\OEWABLog.txt : ewlno (99051 bytes)
C:\WINDOWS\orun32.ini : obdch (3347 bytes)
C:\WINDOWS\orun32.isu : ptsah (98816 bytes)
C:\WINDOWS\PowerReg.dat : xxdai (0 bytes)
C:\WINDOWS\qsveu.txt : anvse (10752 bytes)
C:\WINDOWS\regopt.log : ruxuk (99051 bytes)
C:\WINDOWS\rtcwgoty.INI : kvqzm (10752 bytes)
C:\WINDOWS\sejdm.dll : vtvox (0 bytes)
C:\WINDOWS\setdebug.exe : jsvyu (29696 bytes)
C:\WINDOWS\setupact.log : lfhbe (29696 bytes)
C:\WINDOWS\setupapi.log : gbmuh (10752 bytes)
C:\WINDOWS\setupapi.log : waqld (10752 bytes)
C:\WINDOWS\slrundll.exe : obarx (29696 bytes)
C:\WINDOWS\slrundll.exe : ybfaj (29696 bytes)
C:\WINDOWS\taskman.exe : yewhb (10752 bytes)
C:\WINDOWS\tsnbw.dll : repnv (29696 bytes)
C:\WINDOWS\uninst.exe : ugafs (11591 bytes)
C:\WINDOWS\VBADDIN.INI : fhdqo (7305 bytes)
C:\WINDOWS\wiadebug.log : xiwvq (3347 bytes)
C:\WINDOWS\WindowsUpdate.log : lnngi (10752 bytes)
C:\WINDOWS\WindowsUpdate.log : yegmg (0 bytes)
C:\WINDOWS\winhlp32.exe : qfzzi (0 bytes)
C:\WINDOWS\wininit.ini : dfylc (29696 bytes)
C:\WINDOWS\WINNT.BMP : ruxhy (10752 bytes)
C:\WINDOWS\wmsetup10.log : motzv (10752 bytes)
C:\WINDOWS\wupdsnff.exe : cnaav (29696 bytes)
0
Comments
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
Fix that entry, then go to Start»Run and type msconfig. Go to the "Startup" tab and disable qttask, reboot and post a new log.
Logfile of HijackThis v1.99.0
Scan saved at 9:30:51 PM, on 12/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Rage3DTweak\RegTwk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\rage3dtweak\gameutil.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America's Army\Sounds\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll (file missing)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O15 - Trusted Zone: http://home.comcast.net
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_1_0.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
and definitely remove these lines:
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
If the 015 lines still don't go away you can use this method.
Download(right click and select Save file as or Save link as): DelDomains.inf
http://mvps.org/winhelp2002/DelDomains.inf
To use: Close all open browsers
Right-click DelDomains.inf and select: Install
Note: this will remove all entries in the Trusted Zone and Restricted Zone.
Please get an online virus scan.
http://housecall.trendmicro.com/
or
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
You are really behind on installing Windows critical updates. If you're not infected again already you will be soon unless you install some patches on your system.
http://windowsupdate.microsoft.com/