I'm Bod and here to help you with your Hijack This log.
Please only use this topic for your replies on this problem. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this problem on this computer.
These things need to be properly researched and a complete fix for many malware problems can take some time and be spread over a number of posts, so please be patient and try to see it through to the end.
I've had a look through your log and I now have some instructions for you to follow.
Before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.
You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Please follow and carry out all the steps in the instructions in the order I've listed them.
Please do not try any other "fixes" you may have found on the internet while we are sorting this problem out, it's important that we work through the fix in a systematic manner.
Step 1 Download
Ewido from
www.ewido.net/en/download, and install. At the end of the installation process, leave the tick in the "
Run Ewido Anti-Spyware 4.0" checkbox. Click "
Finish"
When opening screen appears, click "
change state" for "
Resident Shield" to change state to "
inactive" This is done to prevent the resident shield interferring with our attempts to fix the problems present on the pc.
Ewido will automatically update, and a toolbar message balloon will confirm that update is complete. If this doesn't happen, click
Update > Start Update.
Step 3 Re-boot in Safe Mode by pressing
F8 during Boot-up and choosing
Safe Mode from the boot options list.
Doubleclick on
Nailfix.cmd.
Your desktop and icons will disappear and reappear, and a window should open and close very quickly, this is normal.
Stat in safe mode.
Step 4 Run
Ewido, click
Scanner > Complete System Scan.
At the end of the scan, a list of found objects will be generated. Check through the list for false positives, and change the "
Action" entry if necessary.
Click "
Apply all actions"
When the actions have been completed, click
Save Report > Save report as, and save report as a text file on your desktop. I will need a copy of the report contents as part of your next post.
Stay in safe mode.
Step 5 Run
Hijack This,
don't have any other programs open, and click "
Scan".
In the scan results, click on the check box for all of the following lines that are present.
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
Click on "
Fix checked".
Reboot as normal.
Step 6 Run
Hijack This, "
Scan" and post the log, together with the Ewido log, as a reply to this thread. I'll check it through, and get back to you.
Sorry it took me so long to reply. I didn't think that any one had responded. However I did everything that you said in your log step by step. I did not find the file F2-REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe when I ran hijackthis. Before I saw your reply I had downloaded Spybot S&D and ran that several times so my system may have changed since my first post. Here's my hijack this log and the ewido log that I just did:
HIJACKTHIS LOG
Logfile of HijackThis v1.99.1 Scan saved at 10:58:42 AM, on 8/31/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
As you'll have seen, Ewido has quarantined a lot and no doubt Spybot did a good job as well. The Nailfix step also did it's job, so it's ok that you didn't find the F2 line in the new HJT scan.
I now have some more instructions for you to follow.
Before you start, please read through these instructions and make sure that you understand them. If you are not sure about anything, post a reply in this thread with your questions. You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Please follow and carry out all the steps in the instructions in the order I've listed them.
Step 1 Run Hijack This, don't have any other programs open, and click "Scan". In the scan results, click on the check box for all of the following lines that are present. R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [3n1478kk] C:\WINDOWS\system32\3n1478kk.exe O4 - HKLM\..\Run: [voglnr] C:\WINDOWS\system32\qudkin.exe rO8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS O16 - DPF: {37327E74-E295-4531-8FDB-54D138201CFA} - http://www.grabeasy.com/download/ge2install.cab
Click on "Fix checked".
Step 2 Re-boot in Safe Mode by pressing F8 during Boot-up and choosing Safe Mode from the boot options list. Click My Computer > Tools > View, then put a tick in the "Display the contents of system folders" and "Show hidden files and folders" check boxes. Uncheck the "Hide protected operating system files (recommended)" option. Click "Yes" to confirm. Click "OK". Navigate to the following files and delete each of them. Some may not be present. C:\WINDOWS\system32\3n1478kk.exe C:\WINDOWS\system32\qudkin.exe
Reboot as normal.
Step 3 Run Hijack This, "Scan" and post the log as a reply to this thread. I'll check it through, and get back to you.
Bod99
561 Posts
0
August 19th, 2006 17:00
I'm Bod and here to help you with your Hijack This log.
Please only use this topic for your replies on this problem. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this problem on this computer.
These things need to be properly researched and a complete fix for many malware problems can take some time and be spread over a number of posts, so please be patient and try to see it through to the end.
I've had a look through your log and I now have some instructions for you to follow.
Before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.
You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Please follow and carry out all the steps in the instructions in the order I've listed them.
Please do not try any other "fixes" you may have found on the internet while we are sorting this problem out, it's important that we work through the fix in a systematic manner.
Step 1
Download Ewido from www.ewido.net/en/download, and install. At the end of the installation process, leave the tick in the " Run Ewido Anti-Spyware 4.0" checkbox. Click " Finish"
When opening screen appears, click " change state" for " Resident Shield" to change state to " inactive" This is done to prevent the resident shield interferring with our attempts to fix the problems present on the pc.
Ewido will automatically update, and a toolbar message balloon will confirm that update is complete. If this doesn't happen, click Update > Start Update.
Do not scan yet. Close Ewido.
Step 2
Download Nailfix from http://www.noidea.us/easyfile/file.php?dow...050515010747824
Unzip it to the desktop, but do NOT run it yet.
Step 3
Re-boot in Safe Mode by pressing F8 during Boot-up and choosing Safe Mode from the boot options list.
Doubleclick on Nailfix.cmd.
Your desktop and icons will disappear and reappear, and a window should open and close very quickly, this is normal.
Stat in safe mode.
Step 4
Run Ewido, click Scanner > Complete System Scan.
At the end of the scan, a list of found objects will be generated. Check through the list for false positives, and change the " Action" entry if necessary.
Click " Apply all actions"
When the actions have been completed, click Save Report > Save report as, and save report as a text file on your desktop. I will need a copy of the report contents as part of your next post.
Stay in safe mode.
Step 5
Run Hijack This, don't have any other programs open, and click " Scan".
In the scan results, click on the check box for all of the following lines that are present.
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
Click on " Fix checked".
Reboot as normal.
Step 6
Run Hijack This, " Scan" and post the log, together with the Ewido log, as a reply to this thread. I'll check it through, and get back to you.
Thanks,
Bod
Bod99
561 Posts
0
August 29th, 2006 18:00
It's now been at least 7 days since your last post. I am presuming now that your problem has been solved and this topic is now inactive.
I will keep tabs on this post for another 7 days from this date, after which if you need help you should start a new topic.
If you should wish to reply before the 7 days has passed then simply please post a fresh HJT log before proceeding further.
Thanks,
Bod
kinglpn
3 Posts
0
August 31st, 2006 14:00
HERE'S THE EWIDO LOG
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:34:24 AM 8/31/2006
+ Scan result:
C:\Documents and Settings\Jerrold Sr\Local Settings\Temp\180sainstallernusalm.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\Program Files\TBONAS\TBONcomp.dll -> Adware.ActivShopper : Cleaned with backup (quarantined).
C:\Program Files\TBONAS\TBONlchr.dll -> Adware.ActivShopper : Cleaned with backup (quarantined).
C:\Documents and Settings\Jerrold Sr\Local Settings\Temp\XBV\aurareco.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\Documents and Settings\Jerrold Sr\Local Settings\Temp\btgupg.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\Documents and Settings\Kristyn\Local Settings\Temp\CMO\aurareco.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\Documents and Settings\Kristyn\Local Settings\Temp\GKP\aurareco.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\Documents and Settings\Kristyn\Local Settings\Temp\IQI\aurareco.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP763\A0177783.exe -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\Documents and Settings\Jerrold Sr\Local Settings\Temp\insD2.tmp -> Adware.DownloadWare : Cleaned with backup (quarantined).
C:\Documents and Settings\Jerrold Sr\Local Settings\Temp\E5C164.tmp/LMSetup.exe -> Adware.MDH : Cleaned with backup (quarantined).
C:\Documents and Settings\Jerrold Sr\Local Settings\Temp\upd25.tmp/ME.dll -> Adware.MediaPops : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP748\A0176202.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP763\A0177776.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP763\A0177777.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP763\A0177778.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP763\A0177779.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP771\A0179449.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP771\A0179450.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP771\A0179527.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-21-214099845-2014835873-67682326-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Documents and Settings\Jerrold Sr\Start Menu\Programs\WhenU -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Jerrold Sr\Start Menu\Programs\WhenU\Learn More About WhenU Save.url -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Jerrold Sr\Start Menu\Programs\WhenU\Learn More About WhenU SaveNow.url -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Jerrold Sr\Start Menu\Programs\WhenU\Uninstall.lnk -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Jerrold Sr\Start Menu\Programs\WhenU\WhenU Help Desk.lnk -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Jerrold Sr\Start Menu\Programs\WhenU\WhenU.com Website.url -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP764\A0177835.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP771\A0179471.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP771\A0179472.dll -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Kayla\Local Settings\Temp\upd1C.tmp/NE.dll -> Adware.SmartPops : Cleaned with backup (quarantined).
C:\Documents and Settings\Kayla\Local Settings\Temp\upd1C.tmp/NE.exe -> Adware.SmartPops : Cleaned with backup (quarantined).
C:\Documents and Settings\Kayla\Local Settings\Temp\upd3.tmp/NE.dll -> Adware.SmartPops : Cleaned with backup (quarantined).
C:\Documents and Settings\Kayla\Local Settings\Temp\upd3.tmp/NE.exe -> Adware.SmartPops : Cleaned with backup (quarantined).
C:\Documents and Settings\Kayla\Local Settings\Temp\updC.tmp/NE.dll -> Adware.SmartPops : Cleaned with backup (quarantined).
C:\Documents and Settings\Kayla\Local Settings\Temp\updC.tmp/NE.exe -> Adware.SmartPops : Cleaned with backup (quarantined).
C:\Program Files\Windows AdStatus\WinStatComm.dll -> Adware.WinAD : Cleaned with backup (quarantined).
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@bet.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@wrigley.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Jerrold Sr\Cookies\jerrold sr@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@abetterinternet[2].txt -> TrackingCookie.Abetterinternet : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Jerrold Sr\Cookies\jerrold sr@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Kayla\Cookies\kayla@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Kristyn\Cookies\kristyn@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@bestoffersnetworks[3].txt -> TrackingCookie.Bestoffersnetworks : Cleaned.
C:\Documents and Settings\Kristyn\Cookies\kristyn@cc.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@centrport[1].txt -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@cliks[2].txt -> TrackingCookie.Cliks : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Kristyn\Cookies\kristyn@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@twci.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Kristyn\Cookies\kristyn@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@e-2dj6wflowkdjgco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@e-2dj6wflyohd5ifo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@e-2dj6wjlyggajiao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@ehg-learningco.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@ehg-melbourneit.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Jerrold Sr\Cookies\jerrold sr@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@linksynergy[2].txt -> TrackingCookie.Linksynergy : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Jerrold Sr\Cookies\jerrold sr@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Jerrold Sr\Cookies\jerrold sr@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Kayla\Cookies\kayla@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Kayla\Cookies\kayla@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Kristyn\Cookies\kristyn@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Kristyn\Cookies\kristyn@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Kristyn\Cookies\kristyn@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Kayla\Cookies\kayla@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Kristyn\Cookies\kristyn@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Jerrold Jr & Sasha\Cookies\jerrold jr & sasha@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
::Report end
Thanks for all your help. I'll check back in a couple of days.
kinglpn
3 Posts
0
August 31st, 2006 14:00
Hi Bod,
Sorry it took me so long to reply. I didn't think that any one had responded. However I did everything that you said in your log step by step. I did not find the file F2-REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe when I ran hijackthis. Before I saw your reply I had downloaded Spybot S&D and ran that several times so my system may have changed since my first post. Here's my hijack this log and the ewido log that I just did:
HIJACKTHIS LOG
Logfile of HijackThis v1.99.1
Scan saved at 10:58:42 AM, on 8/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://talkamerica.net/members/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [3n1478kk] C:\WINDOWS\system32\3n1478kk.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [voglnr] C:\WINDOWS\system32\qudkin.exe r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {37327E74-E295-4531-8FDB-54D138201CFA} - http://www.grabeasy.com/download/ge2install.cab
O16 - DPF: {5FAD82EB-648A-4ADB-9C91-E07159B6B201} - http://tmaster.superb.net/tm2002oneclick/TM2002.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137454779234
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F49ACD1E-DEA9-458E-9C42-00649D4B32F4}: NameServer = 216.127.139.9,65.212.161.9
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
I have to post the ewido log seperate because they are to big! To be continued.....
Bod99
561 Posts
0
August 31st, 2006 18:00
Hi,
Thanks for the new HJT log and the Ewido report.
As you'll have seen, Ewido has quarantined a lot and no doubt Spybot did a good job as well. The Nailfix step also did it's job, so it's ok that you didn't find the F2 line in the new HJT scan.
I now have some more instructions for you to follow.
Before you start, please read through these instructions and make sure that you understand them.
If you are not sure about anything, post a reply in this thread with your questions.
You will be booting into Safe Mode at some point in these instructions, so you should print out these instructions for reference. You will not have internet access in Safe Mode.
Please follow and carry out all the steps in the instructions in the order I've listed them.
Step 1
Run Hijack This, don't have any other programs open, and click "Scan".
In the scan results, click on the check box for all of the following lines that are present.
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [3n1478kk] C:\WINDOWS\system32\3n1478kk.exe
O4 - HKLM\..\Run: [voglnr] C:\WINDOWS\system32\qudkin.exe rO8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O16 - DPF: {37327E74-E295-4531-8FDB-54D138201CFA} - http://www.grabeasy.com/download/ge2install.cab
Click on "Fix checked".
Step 2
Re-boot in Safe Mode by pressing F8 during Boot-up and choosing Safe Mode from the boot options list.
Click My Computer > Tools > View, then put a tick in the "Display the contents of system folders" and "Show hidden files and folders" check boxes. Uncheck the "Hide protected operating system files (recommended)" option.
Click "Yes" to confirm.
Click "OK".
Navigate to the following files and delete each of them. Some may not be present.
C:\WINDOWS\system32\3n1478kk.exe
C:\WINDOWS\system32\qudkin.exe
Reboot as normal.
Step 3
Run Hijack This, "Scan" and post the log as a reply to this thread. I'll check it through, and get back to you.
Thanks,
Bod
Bod99
561 Posts
0
September 8th, 2006 18:00
It's now been at least 7 days since your last post. I am presuming now that your problem has been solved and this topic is now inactive.
I will keep tabs on this post for another 7 days from this date, after which if you need help you should start a new topic.
If you should wish to reply before the 7 days has passed then simply please post a fresh HJT log before proceeding further.
Thanks,
Bod