Options

Need help please !!!!

Unknown
edited January 2006 in Spyware & Virus Removal
Hello all,

I am new to the forum but found this forum searching for a solution to my problem.

I made the mistake of letting my roomate use my PC and now what used to be a perfectly running PC, has turned into a hijacked pain in my ass.

When I open IE, the home page has been hijacked to an "E Search" page which provides a link to uninstall. When I click on the link of course it is BS and it sends you to a page to purchase software.

I am also getting some pop ups that are very strange.

I read through some threads that say to use Hijack This and post their log so here it is.

Could someone please help me out here ? I am not sure what I need to do to fix this problem.

Thank you in advance.

Logfile of HijackThis v1.99.1
Scan saved at 10:48:41 PM, on 1/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\syslb.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\iejz.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\DOCUME~1\Jon\LOCALS~1\Temp\Rar$EX00.594\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oxcft.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oxcft.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\oxcft.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oxcft.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oxcft.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oxcft.dll/sp.html#53142%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oxcft.dll/sp.html#53142%resultposition.net
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {9E1C2098-D595-F524-F176-D0102B012320} - C:\WINDOWS\system32\mfcvm32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Ulead Quick-Drop] C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe WINDOWCALL
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iejz.exe] C:\WINDOWS\iejz.exe
O4 - HKLM\..\Run: [28.tmp] C:\DOCUME~1\Jon\LOCALS~1\Temp\28.tmp.exe
O4 - HKLM\..\Run: [29.tmp] C:\DOCUME~1\Jon\LOCALS~1\Temp\29.tmp.exe
O4 - HKLM\..\Run: [28.tmp.exe] C:\DOCUME~1\Jon\LOCALS~1\Temp\28.tmp.exe
O4 - HKLM\..\Run: [29.tmp.exe] C:\DOCUME~1\Jon\LOCALS~1\Temp\29.tmp.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101168064328
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\syslb.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)

Comments

  • TroganTrogan London, UK
    edited January 2006
    Hi, Welcome to Short-Media :)
    ---

    You currently are running HijackThis from here:

    C:\DOCUME~1\Jon\LOCALS~1\Temp\Rar$EX00.594\


    Please make a folder here:
    c:\HJT
    and place HijackThis in that folder.

    DO NOT follow the steps below until you have moved HijackThis
    --


    I need you to download some programs for use later.

    Download this file and unzip it to your desktop

    Download About:Buster from here. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet

    Download CWShredder from here, install it, check for updates but again, don't use it yet.

    Download and install Ewido Security Suite Trial from here. Run and update the program but do not scan with it yet.

    Ensure hidden files and folders are set to show;
    • Click Start.
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading select Show hidden files and folders.
    • Uncheck the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.
    Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

    Scroll down and find the service called Remote Procedure Call (RPC) Helper. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

    Please disconnect from the Internet and unplug your modem for the duration of this fix You may want to print the rest of these instructions.

    Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE

    While in safe mode, double click on the HSfix.reg file you downloaded at the beginning. Grant it permission to add the registry items.

    Then Open cwshredder that you downloaded in the first step. Close all browser windows and click on the fix/next button.

    Bring up task manager Ctrl-Alt-Del and end these processes if they are present

    C:\WINDOWS\system32\syslb.exe
    C:\WINDOWS\iejz.exe

    Now find and delete these files, if you can't find one then don't worry.. just move on to the next one.

    C:\WINDOWS\oxcft.dll
    C:\WINDOWS\iejz.exe
    C:\WINDOWS\system32\mfcvm32.dll
    C:\WINDOWS\system32\syslb.exe
    C:\DOCUME~1\Jon\LOCALS~1\Temp\28.tmp.exe
    C:\DOCUME~1\Jon\LOCALS~1\Temp\29.tmp.exe

    Now run hijackthis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked'

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oxcft.dll/sp.html#53142%resultposition.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oxcft.dll/sp.html#53142%resultposition.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\oxcft.dll/sp.html#53142%resultposition.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oxcft.dll/sp.html#53142%resultposition.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oxcft.dll/sp.html#53142%resultposition.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oxcft.dll/sp.html#53142%resultposition.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oxcft.dll/sp.html#53142%resultposition.net

    R3 - Default URLSearchHook is missing

    O2 - BHO: Class - {9E1C2098-D595-F524-F176-D0102B012320} - C:\WINDOWS\system32\mfcvm32.dll

    O4 - HKLM\..\Run: [iejz.exe] C:\WINDOWS\iejz.exe
    O4 - HKLM\..\Run: [28.tmp] C:\DOCUME~1\Jon\LOCALS~1\Temp\28.tmp.exe
    O4 - HKLM\..\Run: [29.tmp] C:\DOCUME~1\Jon\LOCALS~1\Temp\29.tmp.exe
    O4 - HKLM\..\Run: [28.tmp.exe] C:\DOCUME~1\Jon\LOCALS~1\Temp\28.tmp.exe
    O4 - HKLM\..\Run: [29.tmp.exe] C:\DOCUME~1\Jon\LOCALS~1\Temp\29.tmp.exe

    O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\syslb.exe

    The following step is important as you may have several malware files in your temp directories.

    Browse to the C:\documents and settings\Your User Name (repeat for all other user names in documents and settings)\local settings\temp folder and delete all files and folders in it.

    Then browse to the C:\Window\Temp folder and delete all files and folders in it.

    Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

    Now navigate to the c:\aboutbuster directory and double-click on AboutBuster.exe. Click Begin Removal to allow AboutBuster to scan. When it has finished, AboutBuster will open a 'Scan Completed' window. Click OK. Another information window will open. Click on Exit. AboutBuster will inform you that a log has been created. Click OK. I will need you to post that log later.

    Run Ewido and do a full System Scan with it. Let it clean anything it finds. Save the report it creates.

    Now reboot, and run hijackthis again and post a fresh log along with the about buster log and the Ewido log. :)
  • HankyStanky
    edited January 2006
    Thanks for your reply. To be sure I did the first step right by moving HJT.

    I just went to my C: drive, created a new folder and named it HJT and then moved the program into that folder. Is that correct ?
  • TroganTrogan London, UK
    edited January 2006
    Thats correct. :)

    Its important to move HJT so backups can be created.
  • HankyStanky
    edited January 2006
    Alright...I finally got a chance to do this. I will post each log seperate so it is east for you to read. Thank you very much for the help.

    I will start with the HijackThis log.

    Logfile of HijackThis v1.99.1
    Scan saved at 8:19:48 PM, on 1/3/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\palmOne\Hotsync.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\HJT\HijackThis.exe

    O2 - BHO: Class - {0B7BB476-D99E-5DD3-E092-CBD7B7A94A44} - C:\WINDOWS\d3ob32.dll (file missing)
    O2 - BHO: Class - {916BD8F7-1F22-5714-6511-AE95C43FF9F1} - C:\WINDOWS\system32\crkn.dll (file missing)
    O2 - BHO: Class - {99DB325C-EB88-33C3-7785-032CC2FC713B} - C:\WINDOWS\system32\atlpq.dll (file missing)
    O2 - BHO: Class - {D5058A20-A9B3-4BE0-AA2D-1FE9375BA5E6} - C:\WINDOWS\ipwk.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Ulead Quick-Drop] C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe WINDOWCALL
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
    O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101168064328
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
  • HankyStanky
    edited January 2006
    ewido anti-malware - Scan report

    + Created on: 8:17:07 PM, 1/3/2006
    + Report-Checksum: 1D0F6A7E

    + Scan result:

    HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
    HKU\S-1-5-21-796845957-1897051121-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Cleaned with backup
    HKU\S-1-5-21-796845957-1897051121-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
    :mozilla.6:C:\Documents and Settings\Jon\Application Data\Mozilla\Profiles\default\xqyskewg.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
    :mozilla.7:C:\Documents and Settings\Jon\Application Data\Mozilla\Profiles\default\xqyskewg.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
    :mozilla.10:C:\Documents and Settings\Jon\Application Data\Mozilla\Profiles\default\xqyskewg.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    :mozilla.11:C:\Documents and Settings\Jon\Application Data\Mozilla\Profiles\default\xqyskewg.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    :mozilla.12:C:\Documents and Settings\Jon\Application Data\Mozilla\Profiles\default\xqyskewg.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    :mozilla.17:C:\Documents and Settings\Jon\Application Data\Mozilla\Profiles\default\xqyskewg.slt\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
    :mozilla.32:C:\Documents and Settings\Jon\Application Data\Mozilla\Profiles\default\xqyskewg.slt\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
    :mozilla.50:C:\Documents and Settings\Jon\Application Data\Mozilla\Profiles\default\xqyskewg.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
    :mozilla.51:C:\Documents and Settings\Jon\Application Data\Mozilla\Profiles\default\xqyskewg.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
    :mozilla.52:C:\Documents and Settings\Jon\Application Data\Mozilla\Profiles\default\xqyskewg.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
    :mozilla.53:C:\Documents and Settings\Jon\Application Data\Mozilla\Profiles\default\xqyskewg.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
    C:\Documents and Settings\Jon\Cookies\jon@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\Jon\Cookies\jon@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\RECYCLER\S-1-5-21-796845957-1897051121-725345543-1003\Dc30.exe -> Downloader.Agent.td : Cleaned with backup
    C:\RECYCLER\S-1-5-21-796845957-1897051121-725345543-1003\Dc31.dll -> Downloader.Agent.bc : Cleaned with backup


    ::Report End
  • HankyStanky
    edited January 2006
    AboutBuster 6.0
    Scan started on [1/3/2006] at [6:39:49 PM]
    Internet Explorer Instances Terminated!
    HomeSearch Service stopped if present
    Removed Stream! C:\WINDOWS\002502_.tmp:zjmiqs
    Removed Stream! C:\WINDOWS\KB890047Uninst.log:ybkizp
    Removed Stream! C:\WINDOWS\KB890923.log:rudvcs
    Removed Stream! C:\WINDOWS\KB891781Uninst.log:buvawc
    Removed Stream! C:\WINDOWS\KB894391.log:dwuyd
    Removed Stream! C:\WINDOWS\KB896424.log:nxnexm
    Removed Stream! C:\WINDOWS\KB896428.log:ysqttb
    Removed Stream! C:\WINDOWS\KB896727.log:gpfjzw
    Removed Stream! C:\WINDOWS\KB896727.log:xxceok
    Removed Stream! C:\WINDOWS\KB899591.log:jucmpv
    Removed Stream! C:\WINDOWS\msfsetup.ini:rxjofn
    Removed Stream! C:\WINDOWS\netfxocm.log:kqtbhy
    Removed Stream! C:\WINDOWS\ntdtcsetup.log:cqmhba
    Removed Stream! C:\WINDOWS\ntdtcsetup.log:vevxt
    Removed Stream! C:\WINDOWS\ODBCINST.INI:vrfmvk
    Removed Stream! C:\WINDOWS\Q327979.log:ggghp
    Removed Stream! C:\WINDOWS\Rhododendron.bmp:lqotv
    Removed Stream! C:\WINDOWS\_default.pif:gjtdwq
    Removed Stream! C:\WINDOWS\_default.pif:oibpug
    Removed Stream! C:\WINDOWS\_default.pif:vhqkav
    Removed File! : C:\WINDOWS\addph.exe
    Removed File! : C:\WINDOWS\d3ob32.dll
    Removed File! : C:\WINDOWS\htgvk.dat
    Removed File! : C:\WINDOWS\iefr.dll
    Removed File! : C:\WINDOWS\ipwk.dll
    Removed File! : C:\WINDOWS\jucmp.txt
    Removed File! : C:\WINDOWS\mrkmh.log
    Removed File! : C:\WINDOWS\tvedb.dll
    Removed File! : C:\WINDOWS\zuyaf.dat
    Removed File! : C:\WINDOWS\system32\buurj.log
    Removed File! : C:\WINDOWS\system32\cndlb.dll
    Removed File! : C:\WINDOWS\system32\crkn.dll
    Removed File! : C:\WINDOWS\system32\cwqzx.dll
    Removed File! : C:\WINDOWS\system32\dwuyd.dat
    Removed File! : C:\WINDOWS\system32\gwldu.dat
    Removed File! : C:\WINDOWS\system32\netxi32.exe
    Removed File! : C:\WINDOWS\system32\vuasy.dat
    Removed File! : C:\WINDOWS\system32\xnexm.dll
    Removed File! : C:\WINDOWS\system32\ysqtt.dat
    Removed Temp Files
    Internet Explorer Settings Reset!
    Scan was COMPLETED SUCCESSFULLY at 6:42:32 PM
  • TroganTrogan London, UK
    edited January 2006
    Good Job. Follow these steps


    Step 1
    Go to Add/Remove programs in Control Panel and look for the following

    SpywareCleaner

    If found, please uninstall.


    Step 2
    You may want to print these instructions or save them as you'll have no internet connection once in Safe Mode

    View hidden files and folders - explained here

    Go into Safe Mode - explained here


    Step 3
    Check the following in HJT and click 'Fix Checked' - Close ALL open Browsers first

    O2 - BHO: Class - {0B7BB476-D99E-5DD3-E092-CBD7B7A94A44} - C:\WINDOWS\d3ob32.dll (file missing)
    O2 - BHO: Class - {916BD8F7-1F22-5714-6511-AE95C43FF9F1} - C:\WINDOWS\system32\crkn.dll (file missing)
    O2 - BHO: Class - {99DB325C-EB88-33C3-7785-032CC2FC713B} - C:\WINDOWS\system32\atlpq.dll (file missing)
    O2 - BHO: Class - {D5058A20-A9B3-4BE0-AA2D-1FE9375BA5E6} - C:\WINDOWS\ipwk.dll (file missing)

    O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)

    O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)


    Step 4
    Find and Delete the following:

    C:\Program Files\Spyware Cleaner << this folder


    Step 5
    Reboot and post a new HJT log :)
  • HankyStanky
    edited January 2006
    Thanks again....I will have to do this tomorrow.

    Talk to you then.
  • HankyStanky
    edited January 2006
    Here is the new log.....

    Logfile of HijackThis v1.99.1
    Scan saved at 6:15:39 PM, on 1/4/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\palmOne\Hotsync.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wdiv.com/
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Ulead Quick-Drop] C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator\Ulead Quick-Drop 1.0\Quick-Drop.exe WINDOWCALL
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101168064328
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • TroganTrogan London, UK
    edited January 2006
    Congratulations! Your log looks clean - good work!

    Now that your PC is clean you need to follow these easy steps to keeping it this way:

    Secure your Internet Explorer by going here and following the instructions there.

    Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

    Use a firewall to help prevent your PC's control being usurped by undesireables.

    Install and keep updated, Ad-Aware SE, and Spybot S&D.
    Run them both on a regular basis, following the manufacturer's recommendations.

    Install and keep updated, SpywareBlaster 3.4

    Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

    Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.


    Clear your Temp folders.
    Clear out your Temporary internet files and other temp files.
    Go to Start > Settings > Control Panel >Internet Options.
    Under the General tab click the Delete temporary internet files,
    delete all Offline content as well. Clear out Cookies.

    Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

    Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

    C:\Documents and Settings\username\Local Settings\Temp\

    In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

    Empty the Recycle Bin.

    For XP users.
    After something like this it is a good idea to Flush the Restore Points and start fresh.
    To flush the XP system Restore Points.

    Go to Start>Run and type msconfig. Press enter.

    When msconfig opens, click the Launch System Restore Button.
    On the next page, click the System Restore Settings link on the left.

    Check the box labelled 'Turn off System restore'.

    Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

    Note that all previous restore points will be lost.

    ===============

    If you have any more problems, post back.


    Please consider joining the Folding@Home Project :)
    Join our Folding@Home team! Alzheimer's, Parkinson's, cancer... we're trying to cure them with our computers! You've at least read a little about it in the greeting I sent you when you signed up for the site. We're always really pleased to greet new members to the team, and it's a quick way to become an appreciated member of the community.
    MORE INFO: READ THIS
Sign In or Register to comment.