Thank you for getting back to me. Here is my new log:
Logfile of HijackThis v1.99.1
Scan saved at 8:35:26 PM, on 11/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Sorry it has been so long in responding. Everyone who helps out around here is a volunteer and often there are just not enough to keep up.
To ensure that we are working with the most current data, please post a fresh HijackThis log and I will be happy to take a look at it for you. :smileyhappy:
Sorry it took me so long with my reply but my computer is not letting me install the program. It takes a while to download and then it freezes during the installation process
OK, let's go at this from a different direction. Let's run this online virus scan: ActiveScan. Save the results somewhere convenient, such as your desktop. Next, Open a
command prompt by:
1. Clicking "
Start", then "
Run...".
2. Enter "
cmd" (
without the quotes).
3. Enter "
services.msc" (
without the quotes).
Now, locate and '
stop' the following services, if present:
Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services.
Run
HiJackThis then:
1. Click "
Config..."
2. Click "
Misc Tools"
3. Click "
Open Process manager"
Next, while holding down the
CTRL key, locate (
if present) and click on (
highlight) each of the following:
C:\WINDOWS\dlhost.exe C:\WINDOWS\shost.exe
Now double-check and make sure that only those item(s) above are highlighted, then click "
Kill process". Now, click "
Refresh", check again, and repeat this step if any remain.
Run
HiJackThis and click "
Scan", then check(tick) the following, if present:
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k -->Note: This is not a "bad" entry. It is just one that does not need to be run every time you boot up.
With all windows closed except
HiJackThis, click "
Fix checked".
From "
Safe Mode", (Reboot if necessary.) locate and
delete the following item(s), if present. Make sure you're able to view system and hidden files/ folders:
To show hidden files :
1. Click
Start=>
Control Panel=>
Folder Options=>
View tab.
2. Select "
Show hidden files and folders"
3.
Clear the check mark in "
Hide protected operating system files"=>
Yes to confirm.
4. Click
Apply=>
OK.
5. Close
Control Panel.
files...
C:\WINDOWS\dlhost.exe C:\WINDOWS\shost.exe
Note that some of these file(s) may not be present.
Post back a new log, along with the results of the online scan. :smileyhappy:
Logfile of HijackThis v1.99.1
Scan saved at 10:10:42 AM, on 11/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Save a copy of the report,: Click "Print the report", then copy/paste to a new Notepad file and save to a convenient location. Post results into the next reply if requested to do so. Run
HiJackThis and click "
Scan", then check(tick) the following, if present:
With all windows closed except
HiJackThis, click "
Fix checked".
From "
Safe Mode", (Reboot if necessary.) locate and
delete the following item(s), if present. Make sure you're able to view system and hidden files/ folders:
To show hidden files :
1. Click
Start=>
Control Panel=>
Folder Options=>
View tab.
2. Select "
Show hidden files and folders"
3.
Clear the check mark in "
Hide protected operating system files"=>
Yes to confirm.
4. Click
Apply=>
OK.
5. Close
Control Panel.
files...
C:\WINDOWS\dlhost.exe C:\WINDOWS\shost.exe
Note that some of these file(s) may not be present.
Post back a new log, along with the results of the online scan. :smileyhappy:
George a.k.a. SpotCheckBilly.
Logfile of HijackThis v1.99.1
Scan saved at 4:05:24 PM, on 11/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Results:
We have detected 17 infected file(s) with 17 virus(es) on your computer. Only 0 out of 0 infected files are displayed.
Detected File Associated Virus Name
C:\Documents and Settings\Ashley\Local Settings\Temp\15.tmp PE_BOBAX.AK-O
C:\Documents and Settings\Ashley\Local Settings\Temp\2.tmp PE_BOBAX.AK-O
C:\Documents and Settings\Ashley\Local Settings\Temp\3.tmp PE_BOBAX.AK-O
C:\Documents and Settings\Ashley\Local Settings\Temp\4.tmp PE_BOBAX.AK-O
C:\Documents and Settings\Ashley\Local Settings\Temp\atiupdate.exe Possible_Virus
C:\WINDOWS\system32\knixsydxvcyn.exe PE_BOBAX.AK-O
C:\WINDOWS\system32\lwvsu.exe PE_BOBAX.AK-O
C:\WINDOWS\system32\msshed32.exe Possible_Virus
C:\WINDOWS\system32\mvdjmjuwrjgzqm.exe PE_BOBAX.AK-O
C:\WINDOWS\system32\srpruxixfhmgbh.exe PE_BOBAX.AK-O
C:\WINDOWS\system32\twswntnu.exe PE_BOBAX.AK-O
C:\WINDOWS\system32\utztlqyhf.exe PE_BOBAX.AK-O
C:\WINDOWS\system32\ybapnqipo.exe PE_BOBAX.AK-O
C:\WINDOWS\Temp\6.tmp PE_BOBAX.AK-O
C:\WINDOWS\Temp\7.tmp PE_BOBAX.AK-O
C:\..a PE_BOBAX.AK-O
C:\crack.exe PE_BOBAX.AK-O
Trojan/Worm Check No worm/Trojan horse detected
What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed.
Trojan/Worm Name Trojan/Worm Type
Spyware Check 37 spyware programs detected
What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 37 spyware(s) on your computer. Only 0 out of 0 spywares are displayed.
Spyware Name Spyware Type
COOKIE_45 Cookie
COOKIE_169 Cookie
COOKIE_174 Cookie
COOKIE_222 Cookie
COOKIE_281 Cookie
COOKIE_346 Cookie
COOKIE_407 Cookie
COOKIE_650 Cookie
COOKIE_722 Cookie
COOKIE_763 Cookie
COOKIE_878 Cookie
COOKIE_1020 Cookie
COOKIE_1198 Cookie
COOKIE_1236 Cookie
COOKIE_1433 Cookie
COOKIE_1462 Cookie
COOKIE_1802 Cookie
COOKIE_2060 Cookie
COOKIE_2136 Cookie
COOKIE_2250 Cookie
COOKIE_2281 Cookie
COOKIE_2314 Cookie
COOKIE_2346 Cookie
COOKIE_2798 Cookie
COOKIE_2842 Cookie
COOKIE_2897 Cookie
COOKIE_3004 Cookie
COOKIE_3182 Cookie
COOKIE_3188 Cookie
COOKIE_3191 Cookie
COOKIE_3195 Cookie
COOKIE_3196 Cookie
COOKIE_3201 Cookie
COOKIE_6853 Cookie
COOKIE_3233 Cookie
COOKIE_3235 Cookie
COOKIE_3237 Cookie
OK, we have some more work to do, but we are making good progress. :smileyhappy:
First, download CCleaner and install. Configure and run as follows:
Open CCleaner.
Place a check-mark next to:
Eeverything in the Applications tab.
Place a check-mark next to:
Internet Explorer
Windows explorer and
System, in the Windows tab.
Hit Run CCleaner
Reboot to remove index.dat files.
We need to temporarily disable Spy Sweeper because it may interfere with our fix.
To disable SpySweeper:
Open Spy Sweeper.
Click Options to the left.
Click Program Options .
Uncheck "load at windows startup".
On the left click "shields".
Uncheck all there.
Uncheck "home page shield".
Uncheck 'automaticly restore default without notifiction".
Exit Spy Sweeper.
once ALL of the fixes are complete, don't forget to reenable Spy Sweeper.
--->Important Step<---Before we get started, lHijackThis needs to be moved to its own, permanent folder.
HijackThis will create a backup file to use if a restore is necessary, so please DO NOT run HijackThis from a temporary location or your desktop.
Create a folder on the root drive, (Usually C:\), called C:\HJT. 1. Go to "My Computer", (Windows key+e), or by double-clicking on the "My Computer" icon on your desktop. 2. Double click on "C:" 3. Right click and select New->Folder. Name it HJT. Move HijackThis to this new folder.
Also move the "Backups" folder, for HiJackThis, if present.
With all windows closed except
HiJackThis, click "
Fix checked".
From "
Safe Mode", (Reboot if necessary.) locate and
delete the following item(s), if present. Make sure you're able to view system and hidden files/ folders:
To show hidden files :
1. Click
Start=>
Control Panel=>
Folder Options=>
View tab.
2. Select "
Show hidden files and folders"
3.
Clear the check mark in "
Hide protected operating system files"=>
Yes to confirm.
4. Click
Apply=>
OK.
5. Close
Control Panel.
Sorry for not replying sooner just got done traveling. I will have what you asked completed tomorrow. Thank You very much for your time:smileyvery-happy:
Logfile of HijackThis v1.99.1
Scan saved at 4:13:27 PM, on 11/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
With all windows closed except
HiJackThis, click "
Fix checked".
Post back a new log, done in "
Normal Mode" and we'll take it from there. :smileyhappy:
fabsgurl01
25 Posts
0
November 14th, 2005 23:00
Scan saved at 8:35:26 PM, on 11/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\dlhost.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\shost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ashley\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\1hlr.dll (file missing)
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/webmasterexe/drsmartload106a.exe
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129951241445
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130270535366
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c6.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: DynamicHost (DLHOST) - Unknown owner - C:\WINDOWS\dlhost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Windows Produre Call (MSRPC) - Unknown owner - C:\WINDOWS\msrpc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
SpotCheckBilly
932 Posts
0
November 14th, 2005 23:00
Sorry it has been so long in responding. Everyone who helps out around here is a volunteer and often there are just not enough to keep up.
To ensure that we are working with the most current data, please post a fresh HijackThis log and I will be happy to take a look at it for you. :smileyhappy:
George a.k.a. SpotCheckBilly
SpotCheckBilly
932 Posts
0
November 16th, 2005 20:00
Well, you have quite a lot going on here, so let's get started.
Download and install the 14 day trial version of Spy Sweeper (If you receive alerts from your firewall, allow all activities for Spy Sweeper)
- From the left pane, click Options
- Select\click the Sweep Options tab
- Under Where to Sweep: Ensure the following is selected\checked..
- Sweep all Folders on Selected drives
- Under What to Sweep: Ensure the following are selected\checked...
- Sweep Memory
- Sweep Registry
- Sweep Cookies
- Sweep All Users accounts
- Enable Direct Disk Sweeping
- Sweep For Rootkits
- After that's done, select Sweep from the left pane & click on the Start button
- Allow Spysweeper to reboot your machine. This is a necessary step to kill the infection
- When the sweep has finished, click Remove. Click Select All and then Next
- From "Results, select the Session Log tab. Click Save to File and save the log somewhere convenient, such as your desktop.
- Exit Spy Sweeper.
- Post the Spy Sweeper log in your next reply along with a new HJT log.
George a.k.a. SpotCheckBilly :smileyhappy:fabsgurl01
25 Posts
0
November 17th, 2005 19:00
SpotCheckBilly
932 Posts
0
November 17th, 2005 20:00
OK, let's go at this from a different direction. Let's run this online virus scan: ActiveScan. Save the results somewhere convenient, such as your desktop.
Next, Open a command prompt by:
1. Clicking " Start", then " Run...".
2. Enter " cmd" ( without the quotes).
3. Enter " services.msc" ( without the quotes).
Now, locate and ' stop' the following services, if present:
DynamicHost (DLHOST) owner ... ( C:\WINDOWS\dlhost.exe)
Service Hosts (ServiceHost) owner ... ( C:\WINDOWS\shost.exe)
Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services.
Run HiJackThis then:
1. Click " Config..."
2. Click " Misc Tools"
3. Click " Open Process manager"
Next, while holding down the CTRL key, locate ( if present) and click on ( highlight) each of the following:
C:\WINDOWS\dlhost.exe
C:\WINDOWS\shost.exe
Now double-check and make sure that only those item(s) above are highlighted, then click " Kill process". Now, click " Refresh", check again, and repeat this step if any remain.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\1hlr.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k -->Note: This is not a "bad" entry. It is just one that does not need to be run every time you boot up.
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/webmasterexe/drsmartload106a.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c6.cab
O23 - Service: DynamicHost (DLHOST) - Unknown owner - C:\WINDOWS\dlhost.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Windows Produre Call (MSRPC) - Unknown owner - C:\WINDOWS\msrpc.exe (file missing)
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe (file missing)
With all windows closed except HiJackThis, click " Fix checked".
From " Safe Mode", (Reboot if necessary.) locate and delete the following item(s), if present. Make sure you're able to view system and hidden files/ folders:
To show hidden files :
1. Click Start=> Control Panel=> Folder Options=> View tab.
2. Select " Show hidden files and folders"
3. Clear the check mark in " Hide protected operating system files"=> Yes to confirm.
4. Click Apply=> OK.
5. Close Control Panel.
files...
C:\WINDOWS\dlhost.exe
C:\WINDOWS\shost.exe
Note that some of these file(s) may not be present.
Post back a new log, along with the results of the online scan. :smileyhappy:
George a.k.a. SpotCheckBilly.
fabsgurl01
25 Posts
0
November 18th, 2005 03:00
I got spy sweeper to work:smileywink: my spylog is:
********
11:49 PM: | Start of Session, Thursday, November 17, 2005 |
11:49 PM: Spy Sweeper started
11:49 PM: Sweep initiated using definitions version 574
11:49 PM: Starting Memory Sweep
11:52 PM: Memory Sweep Complete, Elapsed Time: 00:02:24
11:52 PM: Starting Registry Sweep
11:52 PM: Found Adware: purityscan
11:52 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaticketsinstaller.ocx\ (2 subtraces) (ID = 137986)
11:52 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaticketsinstaller.ocx (ID = 139077)
11:52 PM: Found Adware: ist yoursitebar
11:52 PM: HKLM\software\microsoft\code store database\distribution units\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658}\ (8 subtraces) (ID = 147850)
11:52 PM: Found Adware: winad
11:52 PM: HKCR\mediagatewayx.installer\ (3 subtraces) (ID = 372857)
11:52 PM: HKCR\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 372859)
11:52 PM: HKLM\software\classes\mediagatewayx.installer\ (3 subtraces) (ID = 398902)
11:52 PM: HKLM\software\classes\mediagatewayx.installer\clsid\ (1 subtraces) (ID = 398904)
11:52 PM: Found Adware: mirinda
11:52 PM: HKCR\clsid\{7a1693a1-afaf-4f1e-9b05-eec38a85fbf3}\ (4 subtraces) (ID = 501125)
11:52 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{7a1693a1-afaf-4f1e-9b05-eec38a85fbf3}\ (ID = 501141)
11:52 PM: HKCR\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (6 subtraces) (ID = 815132)
11:52 PM: HKLM\software\classes\clsid\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (6 subtraces) (ID = 815145)
11:52 PM: Found Adware: 180search assistant/zango
11:52 PM: HKLM\software\microsoft\code store database\distribution units\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8}\ (10 subtraces) (ID = 832871)
11:52 PM: Found Trojan Horse: trojan-downloader-moneymind
11:52 PM: HKU\S-1-5-21-1844237615-507921405-1343024091-1004\software\xjado\ (1 subtraces) (ID = 144725)
11:52 PM: Found Adware: lopdotcom
11:52 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || aida (ID = 130496)
11:52 PM: Registry Sweep Complete, Elapsed Time:00:00:17
11:52 PM: Starting Cookie Sweep
11:52 PM: Found Spy Cookie: 2o7.net cookie
11:52 PM: ashley@2o7[1].txt (ID = 1957)
11:52 PM: Found Spy Cookie: websponsors cookie
11:52 PM: ashley@a.websponsors[2].txt (ID = 3665)
11:52 PM: Found Spy Cookie: go.com cookie
11:52 PM: ashley@abc.go[1].txt (ID = 2729)
11:52 PM: Found Spy Cookie: yieldmanager cookie
11:52 PM: ashley@ad.yieldmanager[1].txt (ID = 3751)
11:52 PM: Found Spy Cookie: adknowledge cookie
11:52 PM: ashley@adknowledge[1].txt (ID = 2072)
11:52 PM: Found Spy Cookie: adlegend cookie
11:52 PM: ashley@adlegend[1].txt (ID = 2074)
11:52 PM: Found Spy Cookie: hbmediapro cookie
11:52 PM: ashley@adopt.hbmediapro[2].txt (ID = 2768)
11:52 PM: Found Spy Cookie: hotbar cookie
11:52 PM: ashley@adopt.hotbar[2].txt (ID = 4207)
11:52 PM: Found Spy Cookie: specificclick.com cookie
11:52 PM: ashley@adopt.specificclick[1].txt (ID = 3400)
11:52 PM: Found Spy Cookie: adrevolver cookie
11:52 PM: ashley@adrevolver[2].txt (ID = 2088)
11:52 PM: ashley@adrevolver[3].txt (ID = 2088)
11:52 PM: Found Spy Cookie: cc214142 cookie
11:52 PM: ashley@ads.cc214142[1].txt (ID = 2367)
11:52 PM: Found Spy Cookie: pointroll cookie
11:52 PM: ashley@ads.pointroll[1].txt (ID = 3148)
11:52 PM: Found Spy Cookie: advertising cookie
11:52 PM: ashley@advertising[1].txt (ID = 2175)
11:52 PM: Found Spy Cookie: ask cookie
11:52 PM: ashley@ask[2].txt (ID = 2245)
11:52 PM: Found Spy Cookie: atlas dmt cookie
11:52 PM: ashley@atdmt[2].txt (ID = 2253)
11:52 PM: Found Spy Cookie: atwola cookie
11:52 PM: ashley@atwola[1].txt (ID = 2255)
11:52 PM: Found Spy Cookie: azjmp cookie
11:52 PM: ashley@azjmp[2].txt (ID = 2270)
11:52 PM: Found Spy Cookie: banner cookie
11:52 PM: ashley@banner[1].txt (ID = 2276)
11:52 PM: Found Spy Cookie: belnk cookie
11:52 PM: ashley@belnk[1].txt (ID = 2292)
11:52 PM: Found Spy Cookie: burstnet cookie
11:52 PM: ashley@burstnet[2].txt (ID = 2336)
11:52 PM: Found Spy Cookie: casalemedia cookie
11:52 PM: ashley@casalemedia[2].txt (ID = 2354)
11:52 PM: Found Spy Cookie: centrport net cookie
11:52 PM: ashley@centrport[2].txt (ID = 2374)
11:52 PM: Found Spy Cookie: coremetrics cookie
11:52 PM: ashley@data.coremetrics[1].txt (ID = 2472)
11:52 PM: Found Spy Cookie: dealtime cookie
11:52 PM: ashley@dealtime[1].txt (ID = 2505)
11:52 PM: Found Spy Cookie: did-it cookie
11:52 PM: ashley@did-it[1].txt (ID = 2523)
11:52 PM: ashley@dist.belnk[2].txt (ID = 2293)
11:52 PM: Found Spy Cookie: ru4 cookie
11:52 PM: ashley@edge.ru4[2].txt (ID = 3269)
11:52 PM: ashley@efashionsolutions.122.2o7[1].txt (ID = 1958)
11:52 PM: Found Spy Cookie: empnads cookie
11:52 PM: ashley@empnads[1].txt (ID = 5012)
11:52 PM: Found Spy Cookie: fastclick cookie
11:52 PM: ashley@fastclick[2].txt (ID = 2651)
11:52 PM: ashley@go[2].txt (ID = 2728)
11:52 PM: Found Spy Cookie: clickandtrack cookie
11:52 PM: ashley@hits.clickandtrack[2].txt (ID = 2397)
11:52 PM: Found Spy Cookie: screensavers.com cookie
11:52 PM: ashley@i.screensavers[2].txt (ID = 3298)
11:52 PM: ashley@msnportal.112.2o7[1].txt (ID = 1958)
11:52 PM: Found Spy Cookie: overture cookie
11:52 PM: ashley@perf.overture[1].txt (ID = 3106)
11:52 PM: Found Spy Cookie: questionmarket cookie
11:52 PM: ashley@questionmarket[1].txt (ID = 3217)
11:52 PM: Found Spy Cookie: realmedia cookie
11:52 PM: ashley@realmedia[1].txt (ID = 3235)
11:52 PM: Found Spy Cookie: reunion cookie
11:52 PM: ashley@reunion[2].txt (ID = 3255)
11:52 PM: Found Spy Cookie: revenue.net cookie
11:52 PM: ashley@revenue[2].txt (ID = 3257)
11:52 PM: Found Spy Cookie: rn11 cookie
11:52 PM: ashley@rn11[2].txt (ID = 3261)
11:52 PM: ashley@rsi.abc.go[1].txt (ID = 2729)
11:52 PM: Found Spy Cookie: servedby advertising cookie
11:52 PM: ashley@servedby.advertising[1].txt (ID = 3335)
11:52 PM: Found Spy Cookie: server.iad.liveperson cookie
11:52 PM: ashley@server.iad.liveperson[2].txt (ID = 3341)
11:52 PM: Found Spy Cookie: serving-sys cookie
11:52 PM: ashley@serving-sys[1].txt (ID = 3343)
11:52 PM: Found Spy Cookie: starware.com cookie
11:52 PM: ashley@starware[2].txt (ID = 3441)
11:52 PM: ashley@stat.dealtime[2].txt (ID = 2506)
11:52 PM: Found Spy Cookie: tribalfusion cookie
11:52 PM: ashley@tribalfusion[1].txt (ID = 3589)
11:52 PM: Found Spy Cookie: burstbeacon cookie
11:52 PM: ashley@www.burstbeacon[1].txt (ID = 2335)
11:52 PM: ashley@www.screensavers[1].txt (ID = 3298)
11:52 PM: ashley@yieldmanager[1].txt (ID = 3749)
11:52 PM: Found Spy Cookie: adserver cookie
11:52 PM: ashley@z1.adserver[1].txt (ID = 2142)
11:52 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
11:52 PM: Starting File Sweep
12:07 AM: resb.tmp (ID = 157832)
12:08 AM: File Sweep Complete, Elapsed Time: 00:15:33
12:08 AM: Full Sweep has completed. Elapsed time 00:18:19
12:08 AM: Traces Found: 112
12:08 AM: Removal process initiated
12:08 AM: Quarantining All Traces: 180search assistant/zango
12:08 AM: Quarantining All Traces: lopdotcom
12:08 AM: Quarantining All Traces: purityscan
12:08 AM: Quarantining All Traces: trojan-downloader-moneymind
12:08 AM: Quarantining All Traces: ist yoursitebar
12:08 AM: Quarantining All Traces: mirinda
12:08 AM: Quarantining All Traces: winad
12:08 AM: Quarantining All Traces: 2o7.net cookie
12:08 AM: Quarantining All Traces: adknowledge cookie
12:08 AM: Quarantining All Traces: adlegend cookie
12:08 AM: Quarantining All Traces: adrevolver cookie
12:08 AM: Quarantining All Traces: adserver cookie
12:08 AM: Quarantining All Traces: advertising cookie
12:08 AM: Quarantining All Traces: ask cookie
12:08 AM: Quarantining All Traces: atlas dmt cookie
12:08 AM: Quarantining All Traces: atwola cookie
12:08 AM: Quarantining All Traces: azjmp cookie
12:08 AM: Quarantining All Traces: banner cookie
12:08 AM: Quarantining All Traces: belnk cookie
12:08 AM: Quarantining All Traces: burstbeacon cookie
12:08 AM: Quarantining All Traces: burstnet cookie
12:08 AM: Quarantining All Traces: casalemedia cookie
12:08 AM: Quarantining All Traces: cc214142 cookie
12:08 AM: Quarantining All Traces: centrport net cookie
12:08 AM: Quarantining All Traces: clickandtrack cookie
12:08 AM: Quarantining All Traces: coremetrics cookie
12:08 AM: Quarantining All Traces: dealtime cookie
12:08 AM: Quarantining All Traces: did-it cookie
12:08 AM: Quarantining All Traces: empnads cookie
12:08 AM: Quarantining All Traces: fastclick cookie
12:08 AM: Quarantining All Traces: go.com cookie
12:08 AM: Quarantining All Traces: hbmediapro cookie
12:08 AM: Quarantining All Traces: hotbar cookie
12:08 AM: Quarantining All Traces: overture cookie
12:08 AM: Quarantining All Traces: pointroll cookie
12:08 AM: Quarantining All Traces: questionmarket cookie
12:08 AM: Quarantining All Traces: realmedia cookie
12:08 AM: Quarantining All Traces: reunion cookie
12:08 AM: Quarantining All Traces: revenue.net cookie
12:08 AM: Quarantining All Traces: rn11 cookie
12:08 AM: Quarantining All Traces: ru4 cookie
12:08 AM: Quarantining All Traces: screensavers.com cookie
12:08 AM: Quarantining All Traces: servedby advertising cookie
12:08 AM: Quarantining All Traces: server.iad.liveperson cookie
12:08 AM: Quarantining All Traces: serving-sys cookie
12:08 AM: Quarantining All Traces: specificclick.com cookie
12:08 AM: Quarantining All Traces: starware.com cookie
12:08 AM: Quarantining All Traces: tribalfusion cookie
12:08 AM: Quarantining All Traces: websponsors cookie
12:08 AM: Quarantining All Traces: yieldmanager cookie
12:08 AM: Removal process completed. Elapsed time 00:00:09
********
11:42 PM: | Start of Session, Thursday, November 17, 2005 |
11:42 PM: Spy Sweeper started
11:48 PM: Your spyware definitions have been updated.
11:49 PM: | End of Session, Thursday, November 17, 2005 |
SpotCheckBilly
932 Posts
0
November 18th, 2005 05:00
Good work! May I have a fresh HijackThis log please? :smileyhappy:
George a.k.a. SpotCheckBilly
fabsgurl01
25 Posts
0
November 18th, 2005 13:00
Scan saved at 10:10:42 AM, on 11/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ashley\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [la]L C:\WINDOWS\System32\jijrucvyzrket.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129951241445
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130270535366
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: DynamicHost (DLHOST) - Unknown owner - C:\WINDOWS\dlhost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Windows Produre Call (MSRPC) - Unknown owner - C:\WINDOWS\msrpc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
SpotCheckBilly
932 Posts
0
November 18th, 2005 20:00
OK, here's the next step:
Go to www.trendmicro.com, then:
1. Click "Free Online Scan".
2. Click "Scan now, it's free".
Follow the screen prompts.
Save a copy of the report,:
Click "Print the report", then copy/paste to a new Notepad file and save to a convenient location. Post results into the next reply if requested to do so.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing)
O23 - Service: DynamicHost (DLHOST) - Unknown owner - C:\WINDOWS\dlhost.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Windows Produre Call (MSRPC) - Unknown owner - C:\WINDOWS\msrpc.exe (file missing)
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe (file missing)
With all windows closed except HiJackThis, click " Fix checked".
From " Safe Mode", (Reboot if necessary.) locate and delete the following item(s), if present. Make sure you're able to view system and hidden files/ folders:
To show hidden files :
1. Click Start=> Control Panel=> Folder Options=> View tab.
2. Select " Show hidden files and folders"
3. Clear the check mark in " Hide protected operating system files"=> Yes to confirm.
4. Click Apply=> OK.
5. Close Control Panel.
files...
C:\WINDOWS\dlhost.exe
C:\WINDOWS\shost.exe
Note that some of these file(s) may not be present.
Post back a new log, along with the results of the online scan. :smileyhappy:
George a.k.a. SpotCheckBilly.
fabsgurl01
25 Posts
0
November 19th, 2005 19:00
Scan saved at 4:05:24 PM, on 11/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ashley\Desktop\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [la]L C:\WINDOWS\System32\jijrucvyzrket.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129951241445
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130270535366
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: DynamicHost (DLHOST) - Unknown owner - C:\WINDOWS\dlhost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Windows Produre Call (MSRPC) - Unknown owner - C:\WINDOWS\msrpc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Results:
We have detected 17 infected file(s) with 17 virus(es) on your computer. Only 0 out of 0 infected files are displayed.
Detected File Associated Virus Name
C:\Documents and Settings\Ashley\Local Settings\Temp\15.tmp PE_BOBAX.AK-O
C:\Documents and Settings\Ashley\Local Settings\Temp\2.tmp PE_BOBAX.AK-O
C:\Documents and Settings\Ashley\Local Settings\Temp\3.tmp PE_BOBAX.AK-O
C:\Documents and Settings\Ashley\Local Settings\Temp\4.tmp PE_BOBAX.AK-O
C:\Documents and Settings\Ashley\Local Settings\Temp\atiupdate.exe Possible_Virus
C:\WINDOWS\system32\knixsydxvcyn.exe PE_BOBAX.AK-O
C:\WINDOWS\system32\lwvsu.exe PE_BOBAX.AK-O
C:\WINDOWS\system32\msshed32.exe Possible_Virus
C:\WINDOWS\system32\mvdjmjuwrjgzqm.exe PE_BOBAX.AK-O
C:\WINDOWS\system32\srpruxixfhmgbh.exe PE_BOBAX.AK-O
C:\WINDOWS\system32\twswntnu.exe PE_BOBAX.AK-O
C:\WINDOWS\system32\utztlqyhf.exe PE_BOBAX.AK-O
C:\WINDOWS\system32\ybapnqipo.exe PE_BOBAX.AK-O
C:\WINDOWS\Temp\6.tmp PE_BOBAX.AK-O
C:\WINDOWS\Temp\7.tmp PE_BOBAX.AK-O
C:\..a PE_BOBAX.AK-O
C:\crack.exe PE_BOBAX.AK-O
Trojan/Worm Check No worm/Trojan horse detected
What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed.
Trojan/Worm Name Trojan/Worm Type
Spyware Check 37 spyware programs detected
What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 37 spyware(s) on your computer. Only 0 out of 0 spywares are displayed.
Spyware Name Spyware Type
COOKIE_45 Cookie
COOKIE_169 Cookie
COOKIE_174 Cookie
COOKIE_222 Cookie
COOKIE_281 Cookie
COOKIE_346 Cookie
COOKIE_407 Cookie
COOKIE_650 Cookie
COOKIE_722 Cookie
COOKIE_763 Cookie
COOKIE_878 Cookie
COOKIE_1020 Cookie
COOKIE_1198 Cookie
COOKIE_1236 Cookie
COOKIE_1433 Cookie
COOKIE_1462 Cookie
COOKIE_1802 Cookie
COOKIE_2060 Cookie
COOKIE_2136 Cookie
COOKIE_2250 Cookie
COOKIE_2281 Cookie
COOKIE_2314 Cookie
COOKIE_2346 Cookie
COOKIE_2798 Cookie
COOKIE_2842 Cookie
COOKIE_2897 Cookie
COOKIE_3004 Cookie
COOKIE_3182 Cookie
COOKIE_3188 Cookie
COOKIE_3191 Cookie
COOKIE_3195 Cookie
COOKIE_3196 Cookie
COOKIE_3201 Cookie
COOKIE_6853 Cookie
COOKIE_3233 Cookie
COOKIE_3235 Cookie
COOKIE_3237 Cookie
SpotCheckBilly
932 Posts
0
November 19th, 2005 21:00
OK, we have some more work to do, but we are making good progress. :smileyhappy:
First, download CCleaner and install.
Configure and run as follows:
We need to temporarily disable Spy Sweeper because it may interfere with our fix.
To disable SpySweeper:
- Open Spy Sweeper.
- Click Options to the left.
- Click Program Options .
- Uncheck "load at windows startup".
- On the left click "shields".
- Uncheck all there.
- Uncheck "home page shield".
- Uncheck 'automaticly restore default without notifiction".
- Exit Spy Sweeper.
once ALL of the fixes are complete, don't forget to reenable Spy Sweeper.--->Important Step<---Before we get started, lHijackThis needs to be moved to its own, permanent folder.
HijackThis will create a backup file to use if a restore is necessary, so please DO NOT run HijackThis from a temporary location or your desktop.
Create a folder on the root drive, (Usually C:\), called C:\HJT.
1. Go to "My Computer", (Windows key+e), or by double-clicking on the "My Computer" icon on your desktop.
2. Double click on "C:"
3. Right click and select New->Folder. Name it HJT. Move HijackThis to this new folder.
Also move the "Backups" folder, for HiJackThis, if present.
Now let's boot into Safe Mode.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
O4 - HKLM\..\Run: [la]L C:\WINDOWS\System32\jijrucvyzrket.exe
O23 - Service: DynamicHost (DLHOST) - Unknown owner - C:\WINDOWS\dlhost.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Windows Produre Call (MSRPC) - Unknown owner - C:\WINDOWS\msrpc.exe (file missing)
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe (file missing)
With all windows closed except HiJackThis, click " Fix checked".
From " Safe Mode", (Reboot if necessary.) locate and delete the following item(s), if present. Make sure you're able to view system and hidden files/ folders:
To show hidden files :
1. Click Start=> Control Panel=> Folder Options=> View tab.
2. Select " Show hidden files and folders"
3. Clear the check mark in " Hide protected operating system files"=> Yes to confirm.
4. Click Apply=> OK.
5. Close Control Panel.
files...
C:\..a
C:\crack.exe
C:\WINDOWS\dlhost.exe
C:\WINDOWS\shost.exe
C:\WINDOWS\System32\jijrucvyzrket.exe
C:\WINDOWS\system32\knixsydxvcyn.exe
C:\WINDOWS\system32\lwvsu.exe
C:\WINDOWS\system32\msshed32.exe
C:\WINDOWS\system32\mvdjmjuwrjgzqm.exe
C:\WINDOWS\system32\srpruxixfhmgbh.exe
C:\WINDOWS\system32\twswntnu.exe
C:\WINDOWS\system32\utztlqyhf.exe
C:\WINDOWS\system32\ybapnqipo.exe
C:\WINDOWS\System32\jijrucvyzrket.exe
Note that some of these file(s) may not be present.
Post back a new log, and will go from there. :smileyvery-happy:
George a.k.a. SpotCheckBilly.
fabsgurl01
25 Posts
0
November 21st, 2005 05:00
fabsgurl01
25 Posts
0
November 21st, 2005 19:00
Scan saved at 4:13:27 PM, on 11/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Ashley\Desktop\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/bingame/pacz/default/pandaonline.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129951241445
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130270535366
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: DynamicHost (DLHOST) - Unknown owner - C:\WINDOWS\dlhost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Windows Produre Call (MSRPC) - Unknown owner - C:\WINDOWS\msrpc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
SpotCheckBilly
932 Posts
0
November 21st, 2005 20:00
OK, now let's see if we can get rid of the remaining tests:
Download Pocket Killbox and unzip it; save it to your Desktop.
DO NOT RUN IT YET.
Now we can delete those files.
C:\WINDOWS\dlhost.exe
C:\WINDOWS\lsass.exe
C:\WINDOWS\msrpc.exe
C:\WINDOWS\shost.exe
C:\WINDOWS\smsc.exe
Allow the system reboot into normal mode.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
O23 - Service: DynamicHost (DLHOST) - Unknown owner - C:\WINDOWS\dlhost.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Windows Produre Call (MSRPC) - Unknown owner - C:\WINDOWS\msrpc.exe (file missing)
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe
O23 - Service: System Manager Service (SMSC) - Unknown owner - C:\WINDOWS\smsc.exe (file missing)
With all windows closed except HiJackThis, click " Fix checked".
Post back a new log, done in " Normal Mode" and we'll take it from there. :smileyhappy:
George a.k.a. SpotCheckBilly.
fabsgurl01
25 Posts
0
November 21st, 2005 21:00