Help with spyware!

alexCali · August 2006

Here's the HJT log I need some assistance through the deleting process plz fellaz.

Logfile of HijackThis v1.99.1
Scan saved at 5:14:34 AM, on 8/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\REEMAA~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\soyys.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,dkfddkd.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D0EFE39-4775-2196-E26D-0D9DF167C95F} - C:\DOCUME~1\REEMAA~1\APPLIC~1\CLOSED~1\Option Mags.exe
O2 - BHO: (no name) - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - (no file)
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\system32\nodeipproc.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding http://iesettingsupdate"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Trogan · August 2006

Hi Alex, can you do the followiing please:

Go to Start > Control Panel > Add/Remove Programs and uninstall 'Window Search', 'Window Searching', 'Window Active' 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done.

If none of the above are listed, run the Lop Remover from:
http://66.220.17.157/help.html

=====

Download Qoofix by RubbeR DuckY from one of the following locations:

http://www.malwarebytes.org/Qoofix.zip or
http://www.besttechie.net/tools/Qoofix.zip

Unzip all files to a convenient location such as C:\Qoofix.
Go to the folder you unzipped all files and run Qoofix.exe.
Click Begin Removal and wait for the scan to finish.
If an infection has been found, select yes to restart your computer.

Finally post a new HijackThis log and the contents of the Qoofix logfile.

Also, I would like to see another log from HijackThis.

Run Hijackthis.
Click on Open the Misc Tools section.
Next click on Open uninstall manager.
Press the Save list button. It will open a Notepad file.
Copy & Paste the entire contents of that file in your in your next post.

alexCali · August 2006

Hi again,
I couldn't find any of those programs u told me about but I found something similar called: Enhanced Browser Overlay should I remove it?

Logfile of HijackThis v1.99.1
Scan saved at 6:28:39 AM, on 8/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\REEMAA~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D0EFE39-4775-2196-E26D-0D9DF167C95F} - C:\DOCUME~1\REEMAA~1\APPLIC~1\CLOSED~1\Option Mags.exe
O2 - BHO: (no name) - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - (no file)
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\system32\nodeipproc.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding http://iesettingsupdate"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMA WEB] C:\DOCUME~1\REEMAA~1\APPLIC~1\SOFTDA~1\about locks.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Qoofix v1.03 by http://www.malwarebytes.org
Scan started on [8/2/2006] at [6:21:11 AM]

Terminated module: imhujno.dll found in Qoofix.exe (1608)
Terminated module: imhujno.dll found in cfhusf.exe (576)
Terminated module: imhujno.dll found in soyys.exe (744)
Terminated module: imhujno.dll found in soyys.exe (1072)
Terminated module: imhujno.dll found in soyys.exe (1080)
Terminated module: imhujno.dll found in igfxtray.exe (2260)
Terminated module: imhujno.dll found in hkcmd.exe (2268)
Terminated module: imhujno.dll found in msnmsgr.exe (2396)
Terminated module: imhujno.dll found in IEXPLORE.EXE (1424)
Terminated module: imhujno.dll found in IEXPLORE.EXE (2308)
Terminated module: imhujno.dll found in IEXPLORE.EXE (3648)
Terminated module: imhujno.dll found in YPager.exe (3884)

C:\WINDOWS\system32\cfhusf.exe will be deleted on reboot!
C:\WINDOWS\system32\dkfddkd.exe will be deleted on reboot!
C:\WINDOWS\system32\hdwxe.dat will be deleted on reboot!
C:\WINDOWS\system32\imhujno.dll will be deleted on reboot!
C:\WINDOWS\system32\soyys.exe will be deleted on reboot!
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tntvy.exe will be deleted on reboot!
C:\WINDOWS\unwn.exe will be deleted on reboot!
C:\WINDOWS\system32\dmonwv.dll will be deleted on reboot!

User prompted YES to reboot, system now rebooting...

Scan COMPLETED SUCCESSFULLY on [8/2/2006] at [6:22:41 AM]

Note: Some registry keys may have been removed.

Ad-Aware SE Professional
Adobe Reader 6.0.1
BearShare
CC_ccProxyExt
ccCommon
ccPxyCore
CCScore
Conexant AC-Link Audio
Easy Internet Sign-up
eMusic - 50 Free MP3 offer
Enhanced Browser Overlay
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
ESSvpaht
ESSvpot
Google Toolbar for Internet Explorer
HijackThis 1.99.1
HLPIndex
HLPSFO
HP Help and Support
HP Image Zone 3.5
HP Integrated Module with Bluetooth wireless technology
HP PSC & OfficeJet 3.5
HP Software Update
HP User Guides 0001
HP Wireless Assistant
Icons
Intel(R) Graphics Media Accelerator Driver for Mobile
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0
Kodak EasyShare software
KSU
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Macromedia Flash Player 8
MediaTickets by OIN
Messenger Plus! 3 & Sponsor
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Money 2005
Microsoft Office Professional Edition 2003
Microsoft Office Standard Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft Works
mIRC
MSN Messenger 7.5
MSRedist
muvee autoProducer 4.0 - SE
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton Security Center
Norton WMI Update
Norton WMI Update
Notifier
OfotoXMI
OTtBP
OTtBPSDK
Quick Launch Buttons 5.10 B2
QuickTime
Rhapsody Player Engine
SAM 2003
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
SFR
SHASTA
SKIN0001
SKINXSDK
Skype 2.0
Soft Data Fax Modem with SmartCP
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
SPBBC
Symantec Script Blocking Installer
SymNet
Synaptics Pointing Device Driver
System Process
Texas Instruments PCIxx21/x515 drivers.
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
VPRINTOL
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885464
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WIRELESS
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar

Trogan · August 2006

Yeah, we'll remove that now.

Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:

BearShare << OPTIONAL
eMusic - 50 Free MP3 offer
Enhanced Browser Overlay
Icons
J2SE Runtime Environment 5.0
MediaTickets by OIN

Then...

Go here
Scroll down to Java Runtime Environment (JRE) 5.0 Update 7 and click on the Download button
Seelct the "Accept" option for the license agreement
Click on Windows Online Installation (typical download size is ~7.1MB), Multi-language and download it to your Desktop. You may need to click on the link once more after accepting the license agreement
Open the Java file on your Desktop and follow the instructions until Java has fully been installed.

Once Java has been installed, continue below:

Post a new HijackThis log, along with a new Uninstall list.

alexCali · August 2006

it sais the page cannot be displayed when I click on the "here" link. but when I tried it on a different computer just now it worked. what should I do?

Trogan · August 2006

It works for me too. What browser are you using?

alexCali · August 2006

baah Im really sorry how do I figure that out? I feel really dumb I know I have Internet Explorer but I cant figure out which version is it.

alexCali · August 2006

what I'll prolly try doing is copy that update from one computer to another. and install it in there. the problem is where did this update egt installed
i cant find it.

alexCali · August 2006

I've done it I copied the installer to my computer when I clicked on it it said: "The installer cannot proceed with the current Internet Connection proxy settings. Please check the Installation Notes for more information." What do u think?

Trogan · August 2006

Sorry for the delay...

Thats strange! Try this:

Open Internet Explorer
Go to Tools > Click on Reset Web Settins if listed
Otherwise, click on Internet Options
Go to the Security tab
For Internet and Local Intranet click Default Level
Click Apply and OK

Try installing it again. If that doesn't work, download Firefox and try.

Let me know how it goes.

alexCali · August 2006

no chance with the java thingy. I installed firefox. here are the logs of the HJT and the uninstall list:

Logfile of HijackThis v1.99.1
Scan saved at 7:39:59 AM, on 8/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\REEMAA~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Reema Ammati\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D0EFE39-4775-2196-E26D-0D9DF167C95F} - C:\DOCUME~1\REEMAA~1\APPLIC~1\CLOSED~1\Option Mags.exe
O2 - BHO: (no name) - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMA WEB] C:\DOCUME~1\REEMAA~1\APPLIC~1\SOFTDA~1\about locks.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Ad-Aware SE Professional
Adobe Reader 6.0.1
BearShare
CC_ccProxyExt
ccCommon
ccPxyCore
CCScore
Conexant AC-Link Audio
Easy Internet Sign-up
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
ESSvpaht
ESSvpot
Google Toolbar for Internet Explorer
HijackThis 1.99.1
HLPIndex
HLPSFO
HP Help and Support
HP Image Zone 3.5
HP Integrated Module with Bluetooth wireless technology
HP PSC & OfficeJet 3.5
HP Software Update
HP User Guides 0001
HP Wireless Assistant
Intel(R) Graphics Media Accelerator Driver for Mobile
InterVideo WinDVD
iTunes
Kodak EasyShare software
KSU
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Macromedia Flash Player 8
Messenger Plus! 3 & Sponsor
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Money 2005
Microsoft Office Professional Edition 2003
Microsoft Office Standard Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft Works
mIRC
Mozilla Firefox (1.5)
MSN Messenger 7.5
MSRedist
muvee autoProducer 4.0 - SE
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton Security Center
Norton WMI Update
Norton WMI Update
Notifier
OfotoXMI
OTtBP
OTtBPSDK
Quick Launch Buttons 5.10 B2
QuickTime
Rhapsody Player Engine
SAM 2003
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
SFR
SHASTA
SKIN0001
SKINXSDK
Skype 2.0
Soft Data Fax Modem with SmartCP
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
SPBBC
Symantec Script Blocking Installer
SymNet
Synaptics Pointing Device Driver
System Process
Texas Instruments PCIxx21/x515 drivers.
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
VPRINTOL
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885464
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WIRELESS
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar

alexCali · August 2006

it sais Unable to connect Firefox cant establich a connection to the server

Trogan · August 2006

We'll try Java in a bit.

Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3

First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
- Carefully type or copy and paste this series of characters into the lower text area labelled Insert CLSID Here. Include the {}:
  
  {0D0EFE39-4775-2196-E26D-0D9DF167C95F}
Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop. If not, double click the program again and it will finish. Please Post the contents of C:\NoLop.log along with a fresh HijackThis log

--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.--

alexCali · August 2006

done! here are the logs:

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Reema Ammati\Desktop
[8/2/2006]
[8:02:01 AM]

---Infection Files Found/Removed---
C:\Documents and Settings\Reema Ammati\Application Data\softdatadefy\Mode send sect.exe
C:\Documents and Settings\Reema Ammati\Application Data\closedash\Option Mags.exe
C:\Documents and Settings\Reema Ammati\Application Data\softdatadefy\Memo Second Less Itch.exe
C:\Documents and Settings\All Users\Application Data\SPAM DOES WAIT BIRD\BoldSetup.exe
C:\Documents and Settings\Reema Ammati\Application Data\softdatadefy\xaxtkhdm.exe
C:\WINDOWS\tasks\AEBDA99A91BA24A6.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Hpqwmi
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Kodak
C:\Documents and Settings\All Users\Application Data\Messenger Plus!
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Muvee Technologies
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Sbsi
C:\Documents and Settings\All Users\Application Data\Skype -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Yahoo!
C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
C:\Documents and Settings\Default User\Application Data\Apple Computer
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\Symantec -- EMPTY Directory
C:\Documents and Settings\Guest\Application Data\Apple Computer
C:\Documents and Settings\Guest\Application Data\Identities
C:\Documents and Settings\Guest\Application Data\Microsoft
C:\Documents and Settings\Guest\Application Data\Symantec -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Rania\Application Data\Apple Computer
C:\Documents and Settings\Rania\Application Data\Identities
C:\Documents and Settings\Rania\Application Data\Intervideo
C:\Documents and Settings\Rania\Application Data\Macromedia
C:\Documents and Settings\Rania\Application Data\Microsoft
C:\Documents and Settings\Rania\Application Data\Symantec -- EMPTY Directory
C:\Documents and Settings\Reema Ammati\Application Data\Adobe
C:\Documents and Settings\Reema Ammati\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Reema Ammati\Application Data\Apple Computer
C:\Documents and Settings\Reema Ammati\Application Data\Block Checker
C:\Documents and Settings\Reema Ammati\Application Data\Google
C:\Documents and Settings\Reema Ammati\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Reema Ammati\Application Data\Identities
C:\Documents and Settings\Reema Ammati\Application Data\Intervideo
C:\Documents and Settings\Reema Ammati\Application Data\Lavasoft
C:\Documents and Settings\Reema Ammati\Application Data\Leadertech
C:\Documents and Settings\Reema Ammati\Application Data\Macromedia
C:\Documents and Settings\Reema Ammati\Application Data\Microsoft
C:\Documents and Settings\Reema Ammati\Application Data\Mozilla
C:\Documents and Settings\Reema Ammati\Application Data\Skype
C:\Documents and Settings\Reema Ammati\Application Data\Sonic
C:\Documents and Settings\Reema Ammati\Application Data\Sun
C:\Documents and Settings\Reema Ammati\Application Data\Symantec
C:\Documents and Settings\Reema Ammati\Application Data\Talkback
C:\Documents and Settings\Reema Ammati\Application Data\Template

Logfile of HijackThis v1.99.1
Scan saved at 8:07:07 AM, on 8/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Documents and Settings\Reema Ammati\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: NoLop[1].exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Trogan · August 2006

Good job!

There are no more infections showing in your log, but lets do some more cleanup. I won't be available after today for a week, so if you can do this now then we can finish.

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - (no file)

O4 - Global Startup: NoLop[1].exe

- Close ALL open windows (especially Internet Explorer!)
Click Fix Checked

=====

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu

=====

Please download Ewido to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install Ewido by double clicking the installer.
Follow the prompts. Make sure that Launch Ewido is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
  Note: If the Update now option is grayed out, follow the steps below.
  - Click on Update on the toolbar.
  - Under Manual update, click on the Start Update button.
  - Wait until you see the Update succesfull message.
Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

Once in Safe Mode:

Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button.
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.

Reboot back into Normal Mode and run this online scan:

Panda ActiveScan

- Once you are on the Panda site, click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Please post the following:

Ewido Log
Panda Report
New HijackThis log

alexCali · August 2006

sorry for the delay I slept on the computer .. im not kidding. sorry again here are the logs:

Incident Status Location

Spyware:Cookie/888 Not disinfected C:\Documents and Settings\RaNia\Cookies\rania@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\RaNia\Cookies\rania@888[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\RaNia\Cookies\rania@adultfriendfinder[2].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\RaNia\Cookies\rania@cassava[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\RaNia\Cookies\rania@offeroptimizer[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@888[1].txt[/email]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@888[2].txt[/email]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@adopt.hbmediapro[2].txt[/email]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@adrevolver[3].txt[/email]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@ath.belnk[2].txt[/email]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@atwola[1].txt[/email]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@azjmp[1].txt[/email]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@belnk[2].txt[/email]
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@cassava[1].txt[/email]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@did-it[1].txt[/email]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@dist.belnk[1].txt[/email]
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@entrepreneur[2].txt[/email]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@go[2].txt[/email]
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@i.screensavers[2].txt[/email]
Spyware:Cookie/Media-motor Not disinfected C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@mmm.media-motor[1].txt[/email]
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@offeroptimizer[1].txt[/email]
Spyware:Cookie/Outster Not disinfected C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@outster[1].txt[/email]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@realmedia[2].txt[/email]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@searchportal.information[1].txt[/email]
Spyware:Cookie/SpywareStormer Not disinfected C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@spywarestormer[2].txt[/email]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@xiti[1].txt[/email]
Adware:Adware/Lop Not disinfected C:\NoLopBackups\About Locks.exe.infected
Adware:Adware/Lop Not disinfected C:\NoLopBackups\Boldsetup.exe.infected
Adware:Adware/Lop Not disinfected C:\NoLopBackups\Memo Second Less Itch.exe.infected
Adware:Adware/Lop Not disinfected C:\NoLopBackups\Mode Send Sect.exe.infected
Adware:Adware/Lop Not disinfected C:\NoLopBackups\Option Mags.exe.infected
Adware:Adware/Lop Not disinfected C:\NoLopBackups\Xaxtkhdm.exe.infected
Spyware:Spyware/Media-motor Not disinfected C:\WINDOWS\system32\icon_mediamotor.exe
Spyware:Spyware/Media-motor Not disinfected C:\WINDOWS\system32\ts_mediamotor.exe
Adware:Adware/Yazzle Not disinfected C:\WINDOWS\YazzleBundle-1119.exe

ewido anti-spyware - Scan Report

+ Created at: 12:47:07 PM 8/2/2006

+ Scan result:

C:\WINDOWS\system32\nsz38.dll -> Adware.EZula : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\amm06.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\unstall.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WhenUSave -> Adware.SaveNow : Cleaned with backup (quarantined).
HKLM\SOFTWARE\WhenUSave -> Adware.SaveNow : Cleaned with backup (quarantined).
HKLM\SOFTWARE\WhenUSave\Partners -> Adware.SaveNow : Cleaned with backup (quarantined).
HKLM\SOFTWARE\WhenUSave\Partners\EEPE -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\WINDOWS\media_motor_bundle.exe -> Downloader.Agent.aru : Cleaned with backup (quarantined).
C:\WINDOWS\optimize.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\WINDOWS\pss\tntvy.exeCommon Startup -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\pi1_36.exe -> Downloader.Small.cqy : Cleaned with backup (quarantined).
C:\Documents and Settings\RaNia\Cookies\rania@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\RaNia\Cookies\rania@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@entrepreneur.122.2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@ford.112.2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@metacafe.122.2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@microsoftwlmessengermkt.112.2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@msninvite.112.2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@msnportal.112.2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@partygaming.122.2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@pch.122.2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Local Settings\Temp\Cookies\reema [email]ammati@msnportal.112.2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@aavalue[2].txt[/email] -> TrackingCookie.Aavalue : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@eztracks.aavalue[2].txt[/email] -> TrackingCookie.Aavalue : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@stats.adbrite[2].txt[/email] -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@ads.addynamix[2].txt[/email] -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@rotator.adjuggler[1].txt[/email] -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@thunderbolt.adjuggler[2].txt[/email] -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@idg.adocean[2].txt[/email] -> TrackingCookie.Adocean : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@adrevolver[2].txt[/email] -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@advertising[1].txt[/email] -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@atdmt[2].txt[/email] -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\RaNia\Cookies\rania@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@www.burstbeacon[1].txt[/email] -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\RaNia\Cookies\rania@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\RaNia\Cookies\rania@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@burstnet[2].txt[/email] -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@casalemedia[1].txt[/email] -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@ad1.clickhype[1].txt[/email] -> TrackingCookie.Clickhype : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@cz7.clickzs[2].txt[/email] -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@com[1].txt[/email] -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@doubleclick[1].txt[/email] -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@e-2dj6wfk4goazako.stats.esomniture[2].txt[/email] -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\RaNia\Cookies\rania@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@adopt.euroclick[2].txt[/email] -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@as-us.falkag[2].txt[/email] -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@fastclick[1].txt[/email] -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@findwhat[1].txt[/email] -> TrackingCookie.Findwhat : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@hypertracker[1].txt[/email] -> TrackingCookie.Hypertracker : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@sec1.liveperson[2].txt[/email] -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@mediaplex[1].txt[/email] -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@data2.perf.overture[1].txt[/email] -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@data4.perf.overture[1].txt[/email] -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@overture[1].txt[/email] -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@ads.realcastmedia[1].txt[/email] -> TrackingCookie.Realcastmedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@edge.ru4[2].txt[/email] -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@serving-sys[2].txt[/email] -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@adopt.specificclick[1].txt[/email] -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@h.starware[1].txt[/email] -> TrackingCookie.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@try.starware[1].txt[/email] -> TrackingCookie.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@www.starware[1].txt[/email] -> TrackingCookie.Starware : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@anad.tacoda[1].txt[/email] -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@anat.tacoda[1].txt[/email] -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@tacoda[1].txt[/email] -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@trafficmp[1].txt[/email] -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@tribalfusion[1].txt[/email] -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@ac2.valuead[1].txt[/email] -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@reduxads.valuead[2].txt[/email] -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@web-stat[1].txt[/email] -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@webstat[1].txt[/email] -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@programs.wegcash[2].txt[/email] -> TrackingCookie.Wegcash : Cleaned with backup (quarantined).
C:\Documents and Settings\RaNia\Cookies\rania@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\RaNia\Cookies\rania@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@ad.yieldmanager[1].txt[/email] -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@yieldmanager[1].txt[/email] -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Reema Ammati\Cookies\reema [email]ammati@zedo[1].txt[/email] -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\Program Files\Okjx\Etfx.exe -> Trojan.Small.cy : Cleaned with backup (quarantined).

::Report end

Trogan · August 2006

I deleted your other post, and just to correct you, i'm not quitting.

If you can post within the next hour then we can finish this up.

Please do the following:

Download Killbox and save it to your desktop.

Next, copy everything in the Quote box below by pressing Ctrl+C

C:\WINDOWS\system32\icon_mediamotor.exe
C:\WINDOWS\system32\ts_mediamotor.exe
C:\WINDOWS\YazzleBundle-1119.exe

Next, open Killbox
Go to File tab and select Paste from Clipboard
Select the Delete on Reboot option
Select All Files
Now click on the Red Circle with the White X
Press Yes to reboot your computer.

How is the computer now? Your logs seem clean. If everything is back to normal, can we mark this resolved?

alexCali · August 2006

Everything is bqck to normal Thank you very very much man. i really apreciate it. but I have one more problem I dunno if u can help me with it or not. its not concerning spywares tho. itsmy msn messenger and hotmail account. they dont wanna log on on this computer anymore im not sure why. it sais the page cannot be displayed. all other websites work just fine. andone more thing the firefox doesnt wanna connect either. its weird. is it like a firewall screwing up everything or what? I dun even know if I have a firewall. cus the windows xp one is disabled and when I click on the norton security center to check on its firewall it doesnt wanna open at all. what do ya think?

Trogan · August 2006

Hey, I'm back.

Lets try this:

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

[*]Click OK
[*]Now under select a target to scan:

SelectMy Computer

[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

[*]Save the file to your desktop.

======

I would like to see another log from HijackThis.

Run Hijackthis.
Click on Open the Misc Tools section.
Check the two white boxes next to Generate StartupList log
Now, click on Generate StartupList log
Press YES at the confirmation box
Copy and paste the entire contents of Notepad here, along with a new HijackThis log and Kaspersky log

Help with spyware!

Comments