Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

pamrd

8 Posts

4544

December 19th, 2004 11:00

hijackthis log- please review

Hi-  here is my log from hijack this.  I can't make any sense of it.  Can you help me?  Thanks in advance!  Pam
 
Logfile of HijackThis v1.99.0
Scan saved at 4:09:04 PM, on 12/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe
C:\WINDOWS\wqshhuqs.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\System32\voqvky.exe
C:\WINDOWS\wtndv.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell\Support\Alert\bin\AlertView.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Pam\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Metrics] C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe a
O4 - HKLM\..\Run: [Xvx1BrTh] C:\WINDOWS\wqshhuqs.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [È00>ÔÇè]?,F@âaîži–ÏC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\wqshhuqs.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [C:\WINDOWS\wtndv.exe] C:\WINDOWS\wtndv.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Pam\Application Data\ttuh.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O8 - Extra context menu item: &Search - http://speedbar.myway.com/menusearch.html?p=MG2
O8 - Extra context menu item: RemindU - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0AB5CBCF-6984-4122-BCF7-BE33BF5B1CF1} - http://www.topmoxie.com/external/builds/upromise/upro1050.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E142A688-2F47-4264-B021-A1F774CD0917}: NameServer = 204.60.203.179 66.73.20.40
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GoBack Polling Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
 

zbestwun2001

3 Apprentice

 • 

8.8K Posts

December 19th, 2004 15:00

Those 01 entries for openers look bad.
Hang loose and one of the experts will be with you.

Steve

Midnight Star

4.8K Posts

December 19th, 2004 17:00

Pam,

I can see that your running Norton's Go Back. Using that, can your 'restore' your system to a point prior to this 'infection'?

Mike.

pamrd

8 Posts

December 19th, 2004 20:00

Hi Mike-  I'm not really familiar with Go Back- it came with my anti-virus software.  I think I know when the infection started.  If I "go back," will I risk losing important files?  Thanks so much for your help.  I'm really new to this.  Pam

Midnight Star

4.8K Posts

December 20th, 2004 01:00

Pam,
 
Yes you will. Can you back the off your important files, use Go-Back, then reload them? This is a pretty bad 'infection' that can take awhile to remove; if we can successfully do it.
 
If you want to attempt to 'clean' your system, let me know, and we'll give it a try, but the best move is to use Go-Back.
 
Alot of people seem to be getting this thing. Where do you think you picked it up? From clicking a link, visiting a website, downloading and installing something?
 
Mike.
 

pamrd

8 Posts

December 20th, 2004 11:00

Thanks Mike.  My husband "infected" our system by looking for tickets to a UConn game without any regard for the reliability of the site.  Fifteen minutes later we were infected.  Needless to say, he learned his lesson....

I will take your advice and use Go Back.  Thanks again for all of your help.  This thing has been making me crazy!  Pam

pamrd

8 Posts

December 20th, 2004 16:00

OK, I blew it.  I just realized that I didn't install GoBack until after the infection.  Yikes!  Now what???

Midnight Star

4.8K Posts

December 21st, 2004 16:00

Pam,

Things like that happen. Let's see if we can try and fix this; it might get a little complicated, so, if you have questions at any time, just post back.

First, let start off by looking where no-hijack has looked before:

1.  Downolad Dllcompare, and Killbox to your desktop.

2.  click "Run locate.com".

     When the scan is complete, you will see: Completed the scan, Click Compare to Continue

3. click "Compare".

    In a few minutes it be Completed


4. click "Make a Log of what was Found".

5. Post that back as a reply to this post.

Mike.

 

pamrd

8 Posts

December 21st, 2004 22:00

Thanks, Mike.  Here's the log:

*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\dhd8.dll       Sun Dec 19 2004   4:55:14p  ..S.R        225,798   220.50 K
C:\WINDOWS\SYSTEM32\dnjo01~1.dll   Mon Dec  6 2004   1:04:48p  ..S.R        223,543   218.30 K
C:\WINDOWS\SYSTEM32\gp2ql3~1.dll   Mon Dec 20 2004   8:50:46a  ..S.R        225,701   220.41 K
C:\WINDOWS\SYSTEM32\jtl007~1.dll   Thu Dec  9 2004   3:47:34p  ..S.R        224,791   219.52 K
C:\WINDOWS\SYSTEM32\lv8u09~1.dll   Sun Dec 19 2004   5:03:14p  ..S.R        224,784   219.52 K
________________________________________________

1,314 items found:  1,314 files (5 H/S), 0 directories.
Total of file sizes:  272,078,099 bytes    259.47 M

Administrator Account =  True

Should I be afraid, very afraid?????

Midnight Star

4.8K Posts

December 21st, 2004 22:00

Pam,

Now, let's download KillBox, unzip it to your desktop, then:

-----

1.  check(tick) "Replace on reboot"

2.  enter C:\WINDOWS\SYSTEM32\dhd8.dll, in "Full Path of File to Delete".

3.  check(tick) "Use Dummy".

4.  click the red-x, just right of where you entered the file to delete.

5.  Confirm that you want to replace the 'bad' file with the 'dummy'.

6.  When prompted to "Reboot Now", select "No".

7. Now repease steps #1 - #6 for the following files:

C:\WINDOWS\SYSTEM32\dnjo01~1.dll  
C:\WINDOWS\SYSTEM32\gp2ql3~1.dll  
C:\WINDOWS\SYSTEM32\jtl007~1.dll  
C:\WINDOWS\SYSTEM32\lv8u09~1.dll   

C:\Windows\System32\Guard.tmp

After entering the last file, when prompted to "Reboot Now", select "Yes".

-----

You can copy/paste these file name(s) to save on typing.

Now, let's go back and run DLLCompare again, just like we did in the previous post, and post back the results.

Mike.

 

 

Midnight Star

4.8K Posts

December 21st, 2004 22:00

Pam,
 
Don't reboot your computer until I get back with you, otherwise those files might change names.
 
Sit tight...
 
Mike.
 

pamrd

8 Posts

December 22nd, 2004 19:00

OK Mike, here it is...
 
*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\j0j6la~1.dll   Wed Dec 22 2004   4:14:34p  ..S.R             56     0.05 K
C:\WINDOWS\SYSTEM32\lvj409~1.dll   Wed Dec 22 2004   2:25:38p  ..S.R        225,701   220.41 K
________________________________________________
1,314 items found:  1,314 files (2 H/S), 0 directories.
Total of file sizes:  271,184,932 bytes    258.62 M
Administrator Account =  True
 
Looks better to me.  What do you think?

pamrd

8 Posts

December 22nd, 2004 19:00

Yikes!  I just did.  I sent the log.  Let me know what I should do next.  Thanks!  Pam

Midnight Star

4.8K Posts

December 22nd, 2004 20:00

Pam,

That's looking so much better! Good job! Now, hopefully, this will be the last time we'll have to use KillBox.

Now, run KillBox then:

-----

1.  check(tick) "Replace on reboot"

2.  enter C:\WINDOWS\SYSTEM32\j0j6la~1.dll, in "Full Path of File to Delete".

3.  check(tick) "Use Dummy".

4.  click the red-x, just right of where you entered the file to delete.

5.  Confirm that you want to replace the 'bad' file with the 'dummy'.

6.  When prompted to "Reboot Now", select "No".

7. Now repease steps #1 - #6 for the following files:

C:\WINDOWS\SYSTEM32\lvj409~1.dll

C:\Windows\System32\Guard.tmp

After entering the last file, when prompted to "Reboot Now", select "Yes".

-----

You can copy/paste these file name(s) to save on typing.

Now, let's go back and run DLLCompare again, just like we did in the previous post, and post back the results - this one can sure get monotonous so hang in there ... :)

Mike.

 

Midnight Star

4.8K Posts

December 22nd, 2004 21:00

Pam,
 
While we're at it, let's see if we can remove as much as we can with this pass...
 
Reboot your computer into " Safe Mode".
 

Let's run  HiJackThis, then:
 
1.  click " Config..."
2.  click " Misc Tools"
3.  click " Delete a file on reboot"
4.  browse to, then double-click on each of the file(s) below, one at a time:
 
     C:\WINDOWS\wqshhuqs.exe
     C:\Program Files\ISTsvc\istsvc.exe
     C:\WINDOWS\System32\voqvky.exe
     C:\WINDOWS\wtndv.exe
     C:\Documents and Settings\Pam\Application Data\ttuh.exe
 
5.  when prompted to " Reboot Now", after selecting each file, select " No"
 

Run HiJackThis and click " Scan", then check(tick) the following, if present:
 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
 
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
(If HiJackThis 'crashes' then try again, but omit fixing these lines.)
 
O4 - HKLM\..\Run: [Xvx1BrTh] C:\WINDOWS\wqshhuqs.exe
O4 - HKLM\..\Run: [È00>ÔÇè]?,F@âaîži–ÏC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\wqshhuqs.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [C:\WINDOWS\wtndv.exe] C:\WINDOWS\wtndv.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Pam\Application Data\ttuh.exe
 

Now, with all windows closed except HiJackThis, click " Fix checked".
 
Reboot your computer normally.
 

Post back a new log.

Mike.

 

pamrd

8 Posts

December 23rd, 2004 19:00

All right... I did everything you suggested & here is the logfile:

Logfile of HijackThis v1.99.0
Scan saved at 4:17:59 PM, on 12/23/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\America Online 7.0\aoltray.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kpfkny.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Pam\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Metrics] C:\Program Files\HP\Personal Printing Solutions Product Research\HP Product Research.exe a
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [È00>ÔÇè]?,F@âaîži–ÏC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\wqshhuqs.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Pam\Application Data\ttuh.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O8 - Extra context menu item: &Search - http://speedbar.myway.com/menusearch.html?p=MG2
O8 - Extra context menu item: RemindU - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0AB5CBCF-6984-4122-BCF7-BE33BF5B1CF1} - http://www.topmoxie.com/external/builds/upromise/upro1050.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E142A688-2F47-4264-B021-A1F774CD0917}: NameServer = 204.60.203.179 66.73.20.40
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GoBack Polling Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Thanks again for all of your help.  Let me know how this looks to you.  Pam

Was this post helpful?

View All

0 events found

No Events found!

Top