[inactive]tick tick boom

Unknown
edited November 2006 in Spyware & Virus Removal
every time my dad tries to start his computer on any administrative identity it restarts and will not let him completely log on. the only way to get anything done is to go in through safe mode and then you cannot access the internet. to do so you have to be on a non-administrative identity. we ran adaware, ewido, and some cleanup programs.

heres my hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 10:51:59 AM, on 11/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [xwvkn] C:\WINDOWS\xwvkn.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [vsgih] C:\WINDOWS\irwuftj.exe
O4 - HKLM\..\Run: [vs2T3tR] immxl32.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [uZPaAyKch] C:\documents and settings\owner\local settings\temp\uZPaAyKch.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [sOBbG] C:\docume~1\lauren\locals~1\temp\sOBbG.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [rathzi] C:\WINDOWS\System32\tpjhcc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QBRSR] C:\WINDOWS\QuickBrowser.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NJ7yru] C:\docume~1\lauren\locals~1\temp\NJ7yru.exe
O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\fkd.exe
O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [jch] C:\WINDOWS\jch.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [fkd] C:\WINDOWS\fkd.exe
O4 - HKLM\..\Run: [fafg] C:\WINDOWS\Eizetfv.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [arwhuf] C:\WINDOWS\arwhuf.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [9DEVci] C:\docume~1\lauren\locals~1\temp\9DEVci.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Dqk5Z.exe
O4 - HKLM\..\Run: [?pPatch?] C:\WINDOWS\System32\?pPatch?.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [fkd] C:\WINDOWS\fkd.exe
O4 - HKCU\..\Run: [zyrcr] C:\WINDOWS\zyrcr.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [freexstyle] lockbr.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000166.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/popcaploader_v6.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



thank you very much! happy thanksgiving!

Comments

  • SpywareShooterSpywareShooter 127.0.0.1
    edited November 2006
    [STEP 1] Fix HijackThis Entries:
    Fix the following entries with HijackThis by placing checkmarks in the boxes next to them and clicking "Fix Checked".

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
    O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
    O4 - HKLM\..\Run: [xwvkn] C:\WINDOWS\xwvkn.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
    O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
    O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
    O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
    O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
    O4 - HKLM\..\Run: [vsgih] C:\WINDOWS\irwuftj.exe
    O4 - HKLM\..\Run: [vs2T3tR] immxl32.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [uZPaAyKch] C:\documents and settings\owner\local settings\temp\uZPaAyKch.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [sOBbG] C:\docume~1\lauren\locals~1\temp\sOBbG.exe
    O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
    O4 - HKLM\..\Run: [rathzi] C:\WINDOWS\System32\tpjhcc.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [NJ7yru] C:\docume~1\lauren\locals~1\temp\NJ7yru.exe
    O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\fkd.exe
    O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe
    O4 - HKLM\..\Run: [jch] C:\WINDOWS\jch.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [fkd] C:\WINDOWS\fkd.exe
    O4 - HKLM\..\Run: [fafg] C:\WINDOWS\Eizetfv.exe
    O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.ex e"
    O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [arwhuf] C:\WINDOWS\arwhuf.exe
    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKLM\..\Run: [9DEVci] C:\docume~1\lauren\locals~1\temp\9DEVci.exe
    O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Dqk5Z.exe
    O4 - HKLM\..\Run: [?pPatch?] C:\WINDOWS\System32\?pPatch?.exe
    O4 - HKCU\..\Run: [fkd] C:\WINDOWS\fkd.exe
    O4 - HKCU\..\Run: [zyrcr] C:\WINDOWS\zyrcr.exe
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O4 - HKCU\..\Run: [freexstyle] lockbr.exe
    O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000166.exe
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.popuppers.com

    [STEP 2] Remove Malicious Files:
    Locate the following files using Windows Explorer (the My Computer icon or shortcut) and delete them from your computer.

    C:\WINDOWS\xwvkn.exe
    C:\WINDOWS\irwuftj.exe
    immxl32.exe
    C:\documents and settings\owner\local settings\temp\uZPaAyKch.exe
    C:\docume~1\lauren\locals~1\temp\sOBbG.exe
    c:\temp\salm.exe
    C:\WINDOWS\System32\tpjhcc.exe
    C:\WINDOWS\fkd.exe
    c:\windows\msbb.exe
    C:\WINDOWS\jch.exe
    C:\WINDOWS\Eizetfv.exe
    C:\WINDOWS\arwhuf.exe
    C:\WINDOWS\alchem.exe
    C:\docume~1\lauren\locals~1\temp\9DEVci.exe
    C:\WINDOWS\System32\Dqk5Z.exe
    C:\WINDOWS\System32\?pPatch?.exe
    C:\WINDOWS\zyrcr.exe
    lockbr.exe
    C:\Program Files\Common Files\Windows\mc-110-12-0000166.exe

    [STEP 3] Remove Malicious Folders:
    Locate the following folders using Windows Explorer (the My Computer icon or shortcut) and delete them from your computer.

    C:\Program Files\Common files\WinTools\
    C:\Program Files\WindUpdates\
    C:\Program Files\Windows ServeAd\
    C:\Program Files\Windows AdTools\
    C:\Program Files\Windows AdControl\
    C:\Program Files\Web_Rebates\
    C:\Program Files\Viewpoint\
    C:\Program Files\TV Media\
    C:\Program Files\ISTsvc\
    C:\Program Files\Internet Optimizer\
    C:\Program Files\Ebates_MoeMoneyMaker\
    C:\Program Files\BullsEye Network\
    c:\program files\altnet\
    C:\Program Files\SurfSideKick 3\

    [STEP 4]Report Back to us:
    Once you have followed all of the steps above please reboot your computer and post a new HijackThis log.
  • LolaTae3
    edited November 2006
    so i don't know whether it is good or bad news but none of the malicious files or folders existed on the hard drive. i know i have had to delete them before because of other run-ins with these creatures.

    here is a new hjt log

    Logfile of HijackThis v1.99.1
    Scan saved at 1:58:57 PM, on 11/23/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [fkd] C:\WINDOWS\fkd.exe
    O4 - HKCU\..\Run: [zyrcr] C:\WINDOWS\zyrcr.exe
    O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000166.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/popcaploader_v6.cab
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • SpywareShooterSpywareShooter 127.0.0.1
    edited November 2006
    [STEP 1] Show Hidden and System Files:
    Malicous files shown in your log may be set as hidden or system files to trick users into thinking they have been deleted. Turn on the display Hidden and System files by going to "My Computer" and under the "Tools" menu select "Folder Options". Once in "Folder Options" go to the "View" tab and uncheck the "Hide Protected Operating System Files" and click the radio button that is marked "Show Hidden Files and Folders".


    [STEP 2] Fix HijackThis Entries:
    Fix the following entries with HijackThis by placing checkmarks in the boxes next to them and clicking "Fix Checked".

    O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
    O4 - HKCU\..\Run: [fkd] C:\WINDOWS\fkd.exe
    O4 - HKCU\..\Run: [zyrcr] C:\WINDOWS\zyrcr.exe
    O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000166.exe

    [STEP 3] Remove Malicious Files:
    Locate the following files using Windows Explorer (the My Computer icon or shortcut) and delete them from your computer.

    C:\WINDOWS\fkd.exe
    C:\WINDOWS\zyrcr.exe
    C:\Program Files\Common Files\Windows\mc-110-12-0000166.exe

    [STEP 4]Report Back to us:
    Once you have followed all of the steps above please reboot your computer and post a new HijackThis log.
  • LolaTae3
    edited November 2006
    still when i search and when i look manually none of these files are showing up. i was already viewing hidden and system files, so i don't know what the deal is there.
    new log:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:47:37 AM, on 11/24/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/popcaploader_v6.cab
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



    thank you!
  • SpywareShooterSpywareShooter 127.0.0.1
    edited November 2006
    Well it looks like you're stopping those files from running with HijackThis, so an Antivirus and/or Antispyware scan should remove them.

    [STEP 1] Fix HijackThis Entries:
    Fix the following entries with HijackThis by placing checkmarks in the boxes next to them and clicking "Fix Checked".

    O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe

    [STEP 2] Remove Malicious Folders:
    Locate the following folders using Windows Explorer (the My Computer icon or shortcut) and delete them from your computer.

    C:\Program Files\Power Scan\

    [STEP 3]Report Back to us:
    Once you have followed all of the steps above please reboot your computer and post a new HijackThis log.
  • LolaTae3
    edited November 2006
    I already had the hidden and system files showing and none of the malicious files exist on my hard drive. through search function and through manual search. the folder c:\program files\common files\windows does not even exist on my computer. i "fixed checked" with mc-110-12-000016.exe already once. and a few months ago we had that virus before. but none of the files that you have told me to remove have existed while viewing hidden and system files. please somehow take this into account.

    new hjt

    Logfile of HijackThis v1.99.1
    Scan saved at 11:24:35 AM, on 11/25/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/popcaploader_v6.cab
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • SpywareShooterSpywareShooter 127.0.0.1
    edited November 2006
    [STEP 1]Run Additional Tools:
    In order to make sure that all remaining pieces of this malware have been removed, it is reccomended that you download and scan with Ewido Anti-Malware. Please do an Ewido scan and post the log here.:

    Download Ewido

    [STEP 2]Report Back to us:
    Once you have followed all of the steps above please reboot your computer and post a new HijackThis log.
  • LolaTae3
    edited November 2006
    ewido anti-malware - Scan report

    + Created on: 9:49:52 PM, 11/26/2006
    + Report-Checksum: 38ED033D

    + Scan result:

    HKLM\SOFTWARE\Classes\CLSID\{00F1D395-4744-40f0-A611-980F61AE2C59} -> Adware.DrSearch : Error during cleaning
    HKLM\SOFTWARE\Classes\CLSID\{3D782BB3-F2A5-11D3-BF4C-000000000000} -> Adware.ActivShopper : Error during cleaning
    HKLM\SOFTWARE\Classes\CLSID\{7FD44536-9DF0-4034-939F-5BD4D98E3187} -> Adware.Generic : Error during cleaning
    HKLM\SOFTWARE\Classes\CLSID\{F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} -> Adware.Generic : Error during cleaning
    HKLM\SOFTWARE\ErrorSafe -> Adware.ErrorSafe : Error during cleaning
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bsto-1 -> Adware.BetterInternet : Error during cleaning
    HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Error during cleaning
    HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Error during cleaning
    HKU\.DEFAULT\Software\New.net -> Adware.NewDotNet : Error during cleaning
    HKU\.DEFAULT\Software\SurfSideKick3 -> Adware.SurfSide : Error during cleaning
    HKU\.DEFAULT\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Error during cleaning
    HKU\S-1-5-21-2750687177-2962501154-3473412508-1008\Software\aurora -> Adware.BetterInternet : Cleaned with backup
    HKU\S-1-5-21-2750687177-2962501154-3473412508-1008\Software\New.net -> Adware.NewDotNet : Cleaned with backup
    HKU\S-1-5-21-2750687177-2962501154-3473412508-1008\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
    HKU\S-1-5-21-2750687177-2962501154-3473412508-1008\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
    HKU\S-1-5-18\Software\New.net -> Adware.NewDotNet : Error during cleaning
    HKU\S-1-5-18\Software\SurfSideKick3 -> Adware.SurfSide : Error during cleaning
    HKU\S-1-5-18\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Error during cleaning
    C:\Documents and Settings\Mallory\Cookies\mallory@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@com[1].txt -> TrackingCookie.Com : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@e-2dj6wjkyejazobp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@e-2dj6wjnyopcjecp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@ehg-aha.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@ehg-bestbuy.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
    C:\Documents and Settings\Mallory\Local Settings\Temporary Internet Files\Content.IE5\OTIV49M7\2_z[1].htm -> Not-A-Virus.Exploit.JS.CVE20061359.b : Cleaned with backup
    C:\Documents and Settings\Owner\Local Settings\Temp\!update.exe -> Downloader.PurityScan.df : Error during cleaning
    C:\Program Files\backups\backup-20061122-200944-117.dll -> Adware.PurityScan : Error during cleaning
    C:\Program Files\Common Files\rurq\rurqd\vocabulary -> Downloader.TSUpdate.j : Error during cleaning
    C:\Program Files\Common Files\Uninstall Information\RemoveWebDP.exe -> Adware.DelphinMediaViewer : Error during cleaning
    C:\Program Files\Common Files\WinSoftware\CrXML.dll -> Adware.Winfixer : Error during cleaning
    C:\Program Files\Common Files\{3C44B700-0A1E-1033-1016-030224200001}\MyToolBar.dll -> Adware.Softomate : Error during cleaning
    C:\Program Files\Common Files\{3C44B700-0A1E-1033-1016-030224200001}\Uninstall.exe -> Adware.Softomate : Error during cleaning
    C:\Program Files\Common Files\{6C44B700-0A1E-1033-1016-030224200001}\system.dll -> Adware.Softomate : Error during cleaning
    C:\Program Files\Common Files\{6C44B700-0A1E-1033-1016-030224200001}\Update.exe -> Adware.Softomate : Error during cleaning
    C:\Program Files\ErrorSafe -> Adware.ErrorSafe : Cleaned with backup
    C:\Program Files\ErrorSafe\ESSPCheck.dll -> Adware.ErrorSafe : Error during cleaning
    C:\Program Files\ErrorSafe\lock.dat -> Adware.ErrorSafe : Error during cleaning
    C:\WINDOWS\hgnjji.exe -> Adware.BetterInternet : Error during cleaning
    C:\WINDOWS\metasploit.exe -> Downloader.Agent.baf : Error during cleaning
    C:\WINDOWS\system32\0ky0jw98.dll -> Adware.Sud : Error during cleaning
    C:\WINDOWS\system32\drivers\ersd.sys -> Rootkit.Agent.af : Error during cleaning
    C:\WINDOWS\system32\inetp60.dll -> Adware.Bymoh : Error during cleaning
    C:\WINDOWS\system32\msbpvcno.exe -> Downloader.Apropo.j : Error during cleaning
    C:\WINDOWS\system32\P2P Networking v124.cpl -> Adware.P2PNet : Error during cleaning
    C:\WINDOWS\system32\sset.exe -> Adware.Sidesearch : Error during cleaning
    C:\WINDOWS\system32\Міcrosoft.NET\csrss.exe -> Adware.ClickSpring : Error during cleaning
    C:\WINDOWS\system32\Міcrosoft.NET\Міcrosoft.NET\!update-3605.0000 -> Downloader.PurityScan.ce : Error during cleaning
    C:\WINDOWS\system32\Міcrosoft.NET\Міcrosoft.NET\!update-3635.0000 -> Downloader.PurityScan.w : Error during cleaning
    C:\WINDOWS\system32\Міcrosoft.NET\Міcrosoft.NET\!update-3655.0000 -> Downloader.PurityScan.cc : Error during cleaning
    C:\WINDOWS\system32\Міcrosoft.NET\Міcrosoft.NET\!update-4200.0000 -> Downloader.PurityScan.df : Error during cleaning
    C:\WINDOWS\system32\Міcrosoft.NET\Міcrosoft.NET\!update-4220.0000 -> Downloader.PurityScan.da : Error during cleaning
    C:\WINDOWS\winsysupd.exe -> Hijacker.StartPage.ahg : Error during cleaning


    ::Report End
  • SpywareShooterSpywareShooter 127.0.0.1
    edited November 2006
    It seems lots of the malware couldn't be removed in that scan. Can you try scanning again and post a new log?
  • LolaTae3
    edited November 2006
    Looks like lots of the malware couldn't be removed on this scan either? Is that what the error during cleaning means?
    thanks

    ewido anti-malware - Scan report

    + Created on: 9:20:38 PM, 11/27/2006
    + Report-Checksum: E9E57AC5

    + Scan result:

    HKLM\SOFTWARE\Classes\CLSID\{00F1D395-4744-40f0-A611-980F61AE2C59} -> Adware.DrSearch : Error during cleaning
    HKLM\SOFTWARE\Classes\CLSID\{3D782BB3-F2A5-11D3-BF4C-000000000000} -> Adware.ActivShopper : Error during cleaning
    HKLM\SOFTWARE\Classes\CLSID\{7FD44536-9DF0-4034-939F-5BD4D98E3187} -> Adware.Generic : Error during cleaning
    HKLM\SOFTWARE\Classes\CLSID\{F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} -> Adware.Generic : Error during cleaning
    HKLM\SOFTWARE\ErrorSafe -> Adware.ErrorSafe : Error during cleaning
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bsto-1 -> Adware.BetterInternet : Error during cleaning
    HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Error during cleaning
    HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Error during cleaning
    HKU\.DEFAULT\Software\New.net -> Adware.NewDotNet : Error during cleaning
    HKU\.DEFAULT\Software\SurfSideKick3 -> Adware.SurfSide : Error during cleaning
    HKU\.DEFAULT\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Error during cleaning
    HKU\S-1-5-18\Software\New.net -> Adware.NewDotNet : Error during cleaning
    HKU\S-1-5-18\Software\SurfSideKick3 -> Adware.SurfSide : Error during cleaning
    HKU\S-1-5-18\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Error during cleaning
    C:\Documents and Settings\Mallory\Cookies\mallory@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\Mallory\Cookies\mallory@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
    C:\Documents and Settings\Owner\Local Settings\Temp\!update.exe -> Downloader.PurityScan.df : Error during cleaning
    C:\Program Files\backups\backup-20061122-200944-117.dll -> Adware.PurityScan : Error during cleaning
    C:\Program Files\Common Files\rurq\rurqd\vocabulary -> Downloader.TSUpdate.j : Error during cleaning
    C:\Program Files\Common Files\Uninstall Information\RemoveWebDP.exe -> Adware.DelphinMediaViewer : Error during cleaning
    C:\Program Files\Common Files\WinSoftware\CrXML.dll -> Adware.Winfixer : Error during cleaning
    C:\Program Files\Common Files\{3C44B700-0A1E-1033-1016-030224200001}\MyToolBar.dll -> Adware.Softomate : Error during cleaning
    C:\Program Files\Common Files\{3C44B700-0A1E-1033-1016-030224200001}\Uninstall.exe -> Adware.Softomate : Error during cleaning
    C:\Program Files\Common Files\{6C44B700-0A1E-1033-1016-030224200001}\system.dll -> Adware.Softomate : Error during cleaning
    C:\Program Files\Common Files\{6C44B700-0A1E-1033-1016-030224200001}\Update.exe -> Adware.Softomate : Error during cleaning
    C:\Program Files\ErrorSafe -> Adware.ErrorSafe : Cleaned with backup
    C:\Program Files\ErrorSafe\ESSPCheck.dll -> Adware.ErrorSafe : Error during cleaning
    C:\Program Files\ErrorSafe\lock.dat -> Adware.ErrorSafe : Error during cleaning
    C:\WINDOWS\hgnjji.exe -> Adware.BetterInternet : Error during cleaning
    C:\WINDOWS\metasploit.exe -> Downloader.Agent.baf : Error during cleaning
    C:\WINDOWS\system32\0ky0jw98.dll -> Adware.Sud : Error during cleaning
    C:\WINDOWS\system32\drivers\ersd.sys -> Rootkit.Agent.af : Error during cleaning
    C:\WINDOWS\system32\inetp60.dll -> Adware.Bymoh : Error during cleaning
    C:\WINDOWS\system32\msbpvcno.exe -> Downloader.Apropo.j : Error during cleaning
    C:\WINDOWS\system32\P2P Networking v124.cpl -> Adware.P2PNet : Error during cleaning
    C:\WINDOWS\system32\sset.exe -> Adware.Sidesearch : Error during cleaning
    C:\WINDOWS\system32\Міcrosoft.NET\csrss.exe -> Adware.ClickSpring : Error during cleaning
    C:\WINDOWS\system32\Міcrosoft.NET\Міcrosoft.NET\!update-3605.0000 -> Downloader.PurityScan.ce : Error during cleaning
    C:\WINDOWS\system32\Міcrosoft.NET\Міcrosoft.NET\!update-3635.0000 -> Downloader.PurityScan.w : Error during cleaning
    C:\WINDOWS\system32\Міcrosoft.NET\Міcrosoft.NET\!update-3655.0000 -> Downloader.PurityScan.cc : Error during cleaning
    C:\WINDOWS\system32\Міcrosoft.NET\Міcrosoft.NET\!update-4200.0000 -> Downloader.PurityScan.df : Error during cleaning
    C:\WINDOWS\system32\Міcrosoft.NET\Міcrosoft.NET\!update-4220.0000 -> Downloader.PurityScan.da : Error during cleaning
    C:\WINDOWS\winsysupd.exe -> Hijacker.StartPage.ahg : Error during cleaning


    ::Report End
  • SpywareShooterSpywareShooter 127.0.0.1
    edited November 2006
    Yes, that's what it means. Lets try to do an online virus scan with Trend Micro. Do a virus scan at http://housecall.trendmicro.com/ and post back with the results.
  • LolaTae3
    edited November 2006
    I'm still trying, but several attempts for me to run the Trend Micro scan have been unsuccessful. Initially, I received an error message trying in Java script, and when I've tried Browser Plug-in, it has stayed on Opening House Call for as long as an hour, though the bar keeps moving.
  • SpywareShooterSpywareShooter 127.0.0.1
    edited November 2006
    If Trendmicro still isn't working, I would reccomend Panda Activescan. Please run the Panda Activescan and post the log.
  • LolaTae3
    edited November 2006
    Unfortunately, Panda won't work either. I've tried several times. Anything else I can even try?
  • SpywareShooterSpywareShooter 127.0.0.1
    edited November 2006
    Maybe a hosts file entry is blocking the scanners from running. Navigate to C:\WINDOWS\system32\drivers\etc and open the file HOSTS (with no file extension) in notepad, and post the contents here.
This discussion has been closed.