Options

need mega help from mega nice dudes

Unknown
edited March 2005 in Spyware & Virus Removal
got a free computer and am having lots of problems with it. many programs wont open, stuff getting added to favorites, changing start page. this stuff is kinda worrying me. ran adaware and spybot and cwshredder. also hijackthis but i cant open the notebook file. i can type it all out if i need to. i appreciate any help.

Comments

  • paulford
    edited March 2005
    i opened it in word instead

    Logfile of HijackThis v1.99.1
    Scan saved at 4:12:09 AM, on 3/14/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\inetdata\services.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Hello\Hello.exe
    C:\Program Files\AIM95\aim.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Ron\Local Settings\Temp\Temporary Directory 3 for hijackthis_199.zip\HijackThis.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10039/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.yahoo.com
    R3 - Default URLSearchHook is missing
    F3 - REG:win.ini: run=C:\WINDOWS\inetdata\services.exe
    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - (no file)
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [TrayX] C:\WINDOWS\winppr32.exe /sinc
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Dkq0h.exe
    O4 - HKLM\..\Run: [v37j39h] dmbertrm.exe
    O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
    O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
    O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\pd7.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
    O4 - HKLM\..\Run: [cbyeqh] c:\windows\system32\cbyeqh.exe
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [e0otRVN5g] immdll.exe
    O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
    O4 - Global Startup: Digimax Viewer 1.0.lnk = ?
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {10D982BA-4A0F-1657-C766-2E3E77408E2B} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {434CB6D5-98F2-7151-7CC5-39103FCAD4D7} - http://69.50.182.94/1/rdgUS994.exe
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited March 2005
    You have a few separate infections. Let's take them one at a time.

    Download Newuninst.exe
    http://www.thatcomputerguy.us/downloads/newuninst.exe

    Double click on 'Newuninst.exe' and press *Uninstall*. Let it run and when the progress bar says *complete* you can then press *close*. You must be online to have this work and do not block any attempts for the program to connect to internet if your firewall requests access. It will just run and then close.

    Reboot and post a new hijackthis log.
  • paulford
    edited March 2005
    thank you so much for your help. i think its great that you guys help us computer illiterate chumps. i am indebted to you very much. heres the new hijackthis log after downloading newuninst.exe and running it. once again your trouble is greatly appreciated.

    Logfile of HijackThis v1.99.1
    Scan saved at 1:07:40 PM, on 3/16/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\inetdata\services.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Hello\Hello.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\windows\system32\cbyeqh.exe
    C:\Program Files\ISTsvc\istsvc.exe
    C:\windows\system32\packager.exe
    C:\WINDOWS\wwkcetse.exe
    C:\WINDOWS\cfszifez.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\Program Files\Web_Rebates\WebRebates0.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
    C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Web_Rebates\WebRebates1.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Ron\Local Settings\Temp\Temporary Directory 6 for hijackthis_199.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10039/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R3 - Default URLSearchHook is missing
    F3 - REG:win.ini: run=C:\WINDOWS\inetdata\services.exe
    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
    O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - (no file)
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
    O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [TrayX] C:\WINDOWS\winppr32.exe /sinc
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [v37j39h] dmbertrm.exe
    O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [cbyeqh] c:\windows\system32\cbyeqh.exe
    O4 - HKLM\..\Run: [printer] C:\WINDOWS\dstart2.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [sFiltaUIN] C:\WINDOWS\wwkcetse.exe
    O4 - HKLM\..\Run: [cfszifez] C:\WINDOWS\cfszifez.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
    O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
    O4 - Global Startup: Digimax Viewer 1.0.lnk = ?
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {0CA02BC8-4C0C-13F1-9F68-39694ABC41C7} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {0DED039E-EF3D-3570-4BC8-7A1531DB8624} - http://69.50.182.94/1/rdgUS994.exe
    O16 - DPF: {10D982BA-4A0F-1657-C766-2E3E77408E2B} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c7.cab
    O16 - DPF: {3DB17DB4-1111-6F84-B5A7-72400C4A647D} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
    O16 - DPF: {434CB6D5-98F2-7151-7CC5-39103FCAD4D7} - http://69.50.182.94/1/rdgUS994.exe
    O16 - DPF: {4B7D0B74-9691-5C79-D75F-0BA357FB73FF} - http://69.50.182.94/1/rdgUS994.exe
    O16 - DPF: {5B2EC131-6708-5826-4DAF-278C72E42471} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {60241146-92B8-1E18-723D-77C924F31D4B} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {68DF3A59-FF46-5EED-3B0F-0BA834E407DD} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {690FC9FE-7BC2-2252-E17F-7D2217CE1122} - http://69.50.182.94/1/rdgUS994.exe
    O16 - DPF: {766D7E7F-8B39-31BD-F0FB-444053875433} - http://69.50.182.94/1/rdgUS994.exe
    O16 - DPF: {77165A9C-9351-362E-3E18-67B6223F7926} - http://69.50.182.94/1/rdgUS994.exe
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited March 2005
    Download and run Microsoft's Antispyware application.

    http://www.microsoft.com/athome/security/spyware/software/default.mspx

    Remove everything that it finds.


    Reboot and post a new hijackthis log.
  • paulford
    edited March 2005
    downloaded and installed the microsoft antispyware application, but when tried to run it an error came up "warning: microsoft windows antispyware has encountered a critical error (error 101)..."
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited March 2005
    Reboot your computer into Safe Mode

    Try running it in Safe Mode. If you get the same error, try reinstalling the program.
  • paulford
    edited March 2005
    tried both. no luck. got the same error.
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited March 2005
    Ok, let's try Adaware.

    Please follow these instructions to run Adware.
    • Download, install, update, configure, and run Ad-Aware SE Personal 1.05.
      1. Download Ad-Aware SE Personal 1.05:
      2. Install Ad-Aware SE Personal 1.05:
        • Double-click on aawsepersonal.exe to install the program.
        • Follow the default settings for installation.
        • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
      3. Update Ad-Aware SE Personal 1.05:
        • Double-click the Ad-Aware SE Personal icon on your desktop.
        • Click "Check for updates now" then click "Connect".
        • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
      4. Configure Ad-Aware SE Personal 1.05:
        • Click on the Gear button at the top of the window.
        • Click "General" on the left hand side to display the General Settings box.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Automatically save logfile"
            • "Automatically quarantine objects prior to removal"
            • "Safe Mode (always request confirmation)"
            • "Prompt to update outdated definitions" - change to 7 days from the default 14.
        • Click "Scanning" on the left hand side to display the Scan Settings box.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Scan within archives"
            • "Select drives & folders to scan" - select your hard drive(s).
            • "Scan active processes"
            • "Scan registry"
            • "Deep-scan registry"
            • "Scan my IE favorites for banned URLs"
            • "Scan my Hosts file"
        • Click "Advanced" on the left hand side to display the Advanced Settings box.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Move deleted files to Recycle Bin"
            • "Include additional object information"
            • "Include negligible objects information"
            • "Include environment information"
        • Click "Defaults" on the left hand side to display the Default Settings box.
          • Make sure these items have your preferred settings in them.:
            • "Default homepage"
            • "Default searchpage"
        • Click "Tweak" on the left hand side to display the Tweak Settings box.
          • Click the + (plus) sign next to the Log Files section. This will expand the section.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Include basic Ad-Aware settings in log file"
            • "Include additional Ad-Aware settings in log file"
            • "Include reference summary in log file"
            • "Include alternate data stream details in log file"
          • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Unload recognized processes & modules during scan"
            • "Scan registry for all users instead of current user only"
            • "Obtain command line of scanned processes"
          • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Always try to unload modules before deletion"
            • "During removal, unload Explorer and IE if necessary"
            • "Let Windows remove files in use at next reboot"
            • "Delete quarantined objects after restoring"
        • Once you are done with these settings, click "Proceed" to save them.
        • This will take you back to the main screen.
      5. Run Ad-Aware SE Personal 1.05:
        • Click the "Start" button.
        • Uncheck the "Search for negligible risk entries" entry.
        • Choose the "Use custom scanning options" scan mode.
        • Click the "Next" button.
        • Ad-Aware will begin to scan for malware residing on your computer.
        • Allow the scan to finish.
        • Right-click on any entry in the list and click "Select All" to select the whole list.
        • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.

    Reboot and post a new hijackthis log and we'll see what's left.
  • paulford
    edited March 2005
    alright, rocked the ad aware and it worked way better than when i did it myself. heres the new hijackthis log. shes a beauty.

    Logfile of HijackThis v1.99.1
    Scan saved at 3:39:36 PM, on 3/16/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Hello\Hello.exe
    C:\WINDOWS\wwkcetse.exe
    C:\WINDOWS\inetdata\services.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\AntiSpyware Microsoft\gcasServ.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
    C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\DOCUME~1\Ron\LOCALS~1\Temp\MbyEdg.exe
    C:\Program Files\ISTsvc\istsvc.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\Ron\Local Settings\Temp\Temporary Directory 7 for hijackthis_199.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10039/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.yahoo.com
    R3 - Default URLSearchHook is missing
    F3 - REG:win.ini: run=C:\WINDOWS\inetdata\services.exe
    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - (no file)
    O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inetdata\3.00.00.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [TrayX] C:\WINDOWS\winppr32.exe /sinc
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [v37j39h] dmbertrm.exe
    O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [cbyeqh] c:\windows\system32\cbyeqh.exe
    O4 - HKLM\..\Run: [printer] C:\WINDOWS\dstart2.exe
    O4 - HKLM\..\Run: [sFiltaUIN] C:\WINDOWS\wwkcetse.exe
    O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\AntiSpyware Microsoft\gcasServ.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
    O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
    O4 - Global Startup: Digimax Viewer 1.0.lnk = ?
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {0CA02BC8-4C0C-13F1-9F68-39694ABC41C7} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {0DED039E-EF3D-3570-4BC8-7A1531DB8624} - http://69.50.182.94/1/rdgUS994.exe
    O16 - DPF: {10D982BA-4A0F-1657-C766-2E3E77408E2B} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c7.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {1F93E039-595B-7527-48B9-07215C779AFF} - http://69.50.182.94/1/rdgUS994.exe
    O16 - DPF: {3DB17DB4-1111-6F84-B5A7-72400C4A647D} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {434CB6D5-98F2-7151-7CC5-39103FCAD4D7} - http://69.50.182.94/1/rdgUS994.exe
    O16 - DPF: {4B7D0B74-9691-5C79-D75F-0BA357FB73FF} - http://69.50.182.94/1/rdgUS994.exe
    O16 - DPF: {5B2EC131-6708-5826-4DAF-278C72E42471} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {60241146-92B8-1E18-723D-77C924F31D4B} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {62B43833-8EC3-35B7-7B1D-7AF941EA98EC} - http://69.50.182.94/1/rdgUS994.exe
    O16 - DPF: {68DF3A59-FF46-5EED-3B0F-0BA834E407DD} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {690FC9FE-7BC2-2252-E17F-7D2217CE1122} - http://69.50.182.94/1/rdgUS994.exe
    O16 - DPF: {766D7E7F-8B39-31BD-F0FB-444053875433} - http://69.50.182.94/1/rdgUS994.exe
    O16 - DPF: {77165A9C-9351-362E-3E18-67B6223F7926} - http://69.50.182.94/1/rdgUS994.exe
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited March 2005
    Still lots of stuff to clean up.

    Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows


    Run Hijackthis, then click on the Config button, followed by the Misc Tools button, and finally the Open Process Manager button.

    When the Process Manager opens up, look for any processes that are located in c:\windows\inetdata. Click once on the process that starts with that path, and press the Kill Process button. If there are more than one process running with that path, then while holding down the control key on your keyboard, click on each of these processes until all the ones that we need to end are all highlighted. Then proceed with clicking on the Kill Process button.


    Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10039/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R3 - Default URLSearchHook is missing
    F3 - REG:win.ini: run=C:\WINDOWS\inetdata\services.exe
    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
    O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - (no file)
    O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inetdata\3.00.00.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [v37j39h] dmbertrm.exe
    O4 - HKLM\..\Run: [cbyeqh] c:\windows\system32\cbyeqh.exe
    O4 - HKLM\..\Run: [printer] C:\WINDOWS\dstart2.exe
    O4 - HKLM\..\Run: [sFiltaUIN] C:\WINDOWS\wwkcetse.exe
    O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
    O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O16 - DPF: {0CA02BC8-4C0C-13F1-9F68-39694ABC41C7} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {0DED039E-EF3D-3570-4BC8-7A1531DB8624} - http://69.50.182.94/1/rdgUS994.exe
    O16 - DPF: {10D982BA-4A0F-1657-C766-2E3E77408E2B} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6...e/bridge-c7.cab
    O16 - DPF: {1F93E039-595B-7527-48B9-07215C779AFF} - http://69.50.182.94/1/rdgUS994.exe
    O16 - DPF: {3DB17DB4-1111-6F84-B5A7-72400C4A647D} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {434CB6D5-98F2-7151-7CC5-39103FCAD4D7} - http://69.50.182.94/1/rdgUS994.exe
    O16 - DPF: {4B7D0B74-9691-5C79-D75F-0BA357FB73FF} - http://69.50.182.94/1/rdgUS994.exe
    O16 - DPF: {5B2EC131-6708-5826-4DAF-278C72E42471} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {60241146-92B8-1E18-723D-77C924F31D4B} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {62B43833-8EC3-35B7-7B1D-7AF941EA98EC} - http://69.50.182.94/1/rdgUS994.exe
    O16 - DPF: {68DF3A59-FF46-5EED-3B0F-0BA834E407DD} - http://69.50.182.94/1/rdgUS896.exe
    O16 - DPF: {690FC9FE-7BC2-2252-E17F-7D2217CE1122} - http://69.50.182.94/1/rdgUS994.exe
    O16 - DPF: {766D7E7F-8B39-31BD-F0FB-444053875433} - http://69.50.182.94/1/rdgUS994.exe
    O16 - DPF: {77165A9C-9351-362E-3E18-67B6223F7926} - http://69.50.182.94/1/rdgUS994.exe


    Delete these files and directories, if present.

    c:\windows\inetdata\services.exe
    c:\windows\inetdata\explorer.exe
    c:\windows\inetdata\winlogon.exe
    c:\windows\inetdata\2.00.00.dll
    c:\windows\inetdata\cron.ini
    c:\windows\inetdata
    c:\windows\\tasks\sa.dat
    C:\WINDOWS\dlmax.dll
    c:\installer\id53.exe
    dmbertrm.exe
    c:\windows\system32\cbyeqh.exe
    C:\WINDOWS\dstart2.exe
    C:\WINDOWS\wwkcetse.exe
    C:\WINDOWS\farmmext.exe
    C:\Program Files\ISTsvc


    Please run these two online scans.
    Make sure they are set to clean automatically:

    http://www.bitdefender.com/scan/licence.php

    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    If there are files that can not be removed by the scans please include that information in your next post.



    Reboot and post a new hijackthis log.
Sign In or Register to comment.