HijackThis log file

Question

Logfile of HijackThis v1.99.1 Scan saved at 12:47:21 AM, on 11/9/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Scansoft\PaperPort\pptd40nt.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\INCRED~1\bin\IncMail.exe C:\Program Files\Internet Optimizer\optimize.exe C:\windows\sp2update00.exe C:\PROGRA~1\COMMON~1\ukmz\ukmzm.exe C:\WINDOWS\system32\autoupdatev2.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\QmV0aCA\command.exe C:\PROGRA~1\COMMON~1\ukmz\ukmza.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Norton Internet Security\Norton AntiVirus
avapsvc.exe C:\PROGRA~1\Webshots\webshots.scr C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Kazaa Lite K++\KazaaLite.kpp C:\HJT\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) R3 - URLSearchHook: (no name) - _{4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file) O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS
em220.dll (file missing) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla	fswshx.dll O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\system32\qlink32.dll (file missing) O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - C:\WINDOWS\system32\azesearch4.ocx (file missing) O2 - BHO: AddressBar Class - {f65b197f-8260-4d52-909a-f70118e646eb} - C:\WINDOWS\system32\iasada.dll (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: AZE Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\system32\azesearch4.ocx (file missing) O4 - HKLM\..\Run: [CTDVDDET] 'C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE' O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [RoxioEngineUtility] 'C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe' O4 - HKLM\..\Run: [RoxioDragToDisc] 'C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe' O4 - HKLM\..\Run: [RoxioAudioCentral] 'C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe' O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [tgcmd] 'C:\Program Files\support.com\bin	gcmd.exe' /server O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe' O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c O4 - HKLM\..\Run: [Internet Optimizer] 'C:\Program Files\Internet Optimizer\optimize.exe' O4 - HKLM\..\Run: [msresearch] C:\windows\msresearch.exe O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b O4 - HKCU\..\Run: [ukmz] C:\PROGRA~1\COMMON~1\ukmz\ukmzm.exe O4 - HKCU\..\Run: [autoupdatev2] C:\WINDOWS\system32\autoupdatev2.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\binesources\WebMenuImg.htm O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin
pjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin
pjpi150_05.dll O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing) O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing) O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://ny.contentmatch.net (HKLM) O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/CursorManiaFWBInitialSetup1.0.0.8-2.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.tbcode.com/ist/softwares/v4.0/0006_regular.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\system32\qlink32.dll O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\AYAAMON.DLL O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QmV0aCA\command.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus
avapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing) O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

RKinner · Answer

Download the Hoster from: http://www.funkytoad.com/ Unpack to your desktop and run it.  If you have green print at the top then just press Restore Original Hosts then OK.  IF you have red print then press make Hosts Writeable first.   Get the stinger from: http://vil.nai.com/vil/stinger/ and save it to your desktop.  Do not turn off system restore as sugested on the website. Get DelDomain.inf from:   http://www.mvps.org/winhelp2002/DelDomains.inf  and then right click on it and Install.  Nothing obvious will happen. Download and install ccleaner.exe from http://www.ccleaner.com. Don't let it clean anything yet.  Download the killbox: http://www.bleepingcomputer.com/files/killbox.php Unzip it to your desktop but don't run it. Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see the PC maker's logo. Keep tapping until it tells you it is going to Safe Mode or you see the Safe Mode menu. Select the top option.  Login with your usual login if you can.   Run HijackThis and just do a Scan only. Check then Fix Checked the following: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) R3 - URLSearchHook: (no name) - _{4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file) O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS
em220.dll (file missing) O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\system32\qlink32.dll (file missing) O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - C:\WINDOWS\system32\azesearch4.ocx (file missing) O2 - BHO: AddressBar Class - {f65b197f-8260-4d52-909a-f70118e646eb} - C:\WINDOWS\system32\iasada.dll (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: AZE Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\system32\azesearch4.ocx (file missing) O4 - HKLM\..\Run: [Internet Optimizer] 'C:\Program Files\Internet Optimizer\optimize.exe' O4 - HKLM\..\Run: [msresearch] C:\windows\msresearch.exe O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update00.exe O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b O4 - HKCU\..\Run: [ukmz] C:\PROGRA~1\COMMON~1\ukmz\ukmzm.exe O4 - HKCU\..\Run: [autoupdatev2] C:\WINDOWS\system32\autoupdatev2.exe O15 - Trusted Zone: http://ny.contentmatch.net (HKLM) O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/CursorManiaFWBInitialSetup1.0.0.8-2.cab O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.tbcode.com/ist/softwares/v4.0/0006_regular.cab O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\system32\qlink32.dll O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\AYAAMON.DLL O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QmV0aCA\command.exe O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing) Run ccleaner.exe, uncheck everything on the first page except the two entries with Temporary and then Run Cleaner. Run the stinger. Run killbox.  Where it says Full Path of File to Delete you need to type or copy (Hightlight and Ctrl + c) and Paste (move to the killbox and place the cursor in the box and Ctrl + V): C:\Program Files\Internet Optimizer Then check the Delete on Reboot box and deltree box  then the red button.  Agree you want to remove the file but do not let it reboot. Repeat  for: C:\PROGRA~1\COMMON~1\ukmz C:\WINDOWS\QmV0aCA Repeat (Delete on Reboot and Unregister .dll) for: C:\WINDOWS\system32\AYAAMON.DLL C:\WINDOWS\system32\qlink32.dll If it doesn't find one then just go on to the next. Let it reboot after the last one.   Run another HijackThis log and post it as a reply. Let's see how we did.   Ron Message Edited by RKinner on 11-09-2005 09:28 PM

Virus & Spyware

Was this post helpful?