Sweepstakes.com Browser Hijack[INACTIVE]


Recommended Posts

I am also having a problem where Internet Explorer is loading the website "sweepstakes.com" instead of the desired site. I have run Adware SE Personal and Spybot with no success. I have run HiJack This and the log is shown below. I appreciate any help.

Logfile of HijackThis v1.97.7

Scan saved at 12:20:09 PM, on 2/19/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\mgabg.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\RioMSC.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\Fast.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\System32\PDesk\PDesk.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\taskswitch.exe

C:\WINDOWS\System32\fast.exe

C:\SCANJET\PrecisionScanPro\HPLamp.exe

C:\Program Files\KFH\cl\launcher.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\program files\common files\system\mplay64.exe

C:\program files\common files\system\ms2src.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\devldr32.exe

C:\SCANJET\PrecisionScanPro\hpscnsvr.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\WINDOWS\system32\ntvdm.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\DOCUME~1\Dave2\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe

O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch

O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe

O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe

O4 - HKLM\..\Run: [Launcher] "C:\Program Files\KFH\cl\launcher.exe" /P

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [Windows Taskbar Manager] c:\documents and settings\all users\start menu\programs\startup\service.exe.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [MPlay64] c:\program files\common files\system\mplay64.exe /noerrorinfo

O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe

O4 - HKLM\..\Run: [ms2src] c:\program files\common files\system\ms2src.exe /install

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: APC UPS Status.lnk = ?

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKEN2004\bagent.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000

O9 - Extra button: Yahoo! Services (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O16 - DPF: {4B48D5DF-9021-45F7-A240-60304302A215} (Malicious Software Removal Tool) - http://download.microsoft.com/download/b/d.../WebCleaner.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...swflash5r42.cab

Link to post
Share on other sites

Hi,

You are using an outdated version of HijackThis.

Please download HijackThis version 1.99.1 from here:

http://besttechie.net/tools/HijackThis.exe make sure to unzip it to a permanent folder.

Then please run HijackThis, click Scan and Save log, and post the new log here. Most of what HijackThis lists is harmless or essential to the system, so please to not make any manual changes.

Danny :thumbsup:

Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 11:03:39 AM, on 2/26/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\mgabg.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\RioMSC.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\Fast.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\System32\PDesk\PDesk.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\taskswitch.exe

C:\WINDOWS\System32\fast.exe

C:\Program Files\KFH\cl\launcher.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\program files\common files\system\mplay64.exe

C:\program files\common files\system\ms2src.exe

C:\SCANJET\PrecisionScanPro\HPLamp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\SCANJET\PrecisionScanPro\hpscnsvr.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Installation Files\Spy Ware\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe

O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch

O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe

O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe

O4 - HKLM\..\Run: [Launcher] "C:\Program Files\KFH\cl\launcher.exe" /P

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [Windows Taskbar Manager] c:\documents and settings\all users\start menu\programs\startup\service.exe.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [MPlay64] c:\program files\common files\system\mplay64.exe /noerrorinfo

O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe

O4 - HKLM\..\Run: [ms2src] c:\program files\common files\system\ms2src.exe /install

O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: APC UPS Status.lnk = ?

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKEN2004\bagent.exe

O4 - Global Startup: Share Scanner.lnk = C:\SCANJET\PrecisionScanPro\hpscnsvr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Link to post
Share on other sites
  • 2 weeks later...

Hi Heydc, I will be taking over for Danny as he will be out for a few days. Sorry for the delay.

Since it has been a while since your last post, lets run a few things.

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please download ewido anti-malware it is a free version of the program.

  1. Install ewido anti-malware
  2. When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu

[*]Launch ewido, there should be an icon on your desktop, double-click it.

[*]The program will now open to the main screen.

[*]When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

[*]You will need to update ewido to the latest definition files.

  • On the left hand side of the main screen click update.
  • Then click on Start Update.

[*]The update will start and a progress bar will show the updates being installed.

(the status bar at the bottom will display ("Update successful")

If you are having problems with the updater, you can use this link to manually update ewido.

ewido manual updates

Once the updates are installed do the following:

  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti-malware.

Now, please reply back with the Ewido Report, and a new HJT log.

Matt

Link to post
Share on other sites
  • 2 weeks later...

Here are the two scans. thanks for your help!!

==================================================================

ewido anti-malware - Scan report

---------------------------------------------------------

+ Created on: 11:21:53 PM, 3/20/2006

+ Report-Checksum: B8A1A4F4

+ Scan result:

:mozilla.57:C:\Documents and Settings\Aaron.COMPUTER-1-DEN\Application Data\Mozilla\Firefox\Profiles\6e2yg9k8.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup

:mozilla.58:C:\Documents and Settings\Aaron.COMPUTER-1-DEN\Application Data\Mozilla\Firefox\Profiles\6e2yg9k8.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup

:mozilla.59:C:\Documents and Settings\Aaron.COMPUTER-1-DEN\Application Data\Mozilla\Firefox\Profiles\6e2yg9k8.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup

C:\Documents and Settings\Aaron.COMPUTER-1-DEN\Cookies\aaron@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\Aaron.COMPUTER-1-DEN\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup

C:\Documents and Settings\Aaron.COMPUTER-1-DEN\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : Cleaned with backup

C:\Documents and Settings\Aaron.COMPUTER-1-DEN\Cookies\aaron@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup

C:\Documents and Settings\Aaron.COMPUTER-1-DEN\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup

C:\Documents and Settings\Aaron.COMPUTER-1-DEN\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\Aaron.COMPUTER-1-DEN\Cookies\aaron@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup

C:\Documents and Settings\Amy\Cookies\amy@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\Amy\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup

C:\Documents and Settings\Amy\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup

C:\Documents and Settings\Amy\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup

C:\Documents and Settings\Amy\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup

C:\Documents and Settings\Amy\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup

C:\Documents and Settings\Amy\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup

C:\Documents and Settings\Amy\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup

C:\Documents and Settings\Amy\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup

C:\Documents and Settings\Amy\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup

C:\Documents and Settings\Amy\Cookies\[email protected][1].txt -> TrackingCookie.Ru4 : Cleaned with backup

C:\Documents and Settings\Amy\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup

C:\Documents and Settings\Amy\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup

C:\Documents and Settings\Amy\Cookies\amy@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup

C:\Documents and Settings\Amy\Cookies\amy@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup

C:\Documents and Settings\Amy\Cookies\[email protected][2].txt -> TrackingCookie.Web-stat : Cleaned with backup

C:\Documents and Settings\Amy\Local Settings\Temporary Internet Files\Content.IE5\K9EVWHUN\mplay64[1].exe -> Downloader.Agent.wp : Cleaned with backup

C:\Documents and Settings\Dave2\Local Settings\Temp\lf_BDC.tmp -> Downloader.Agent.wp : Cleaned with backup

C:\Program Files\Common Files\System\mplay64.exe -> Downloader.Agent.wp : Cleaned with backup

C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1457\A0310269.exe -> Downloader.Agent.wp : Cleaned with backup

C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1494\A0314919.exe -> Downloader.Agent.wp : Cleaned with backup

C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1500\A0315007.exe -> Downloader.Agent.wp : Cleaned with backup

::Report End

===================================================================

Logfile of HijackThis v1.99.1

Scan saved at 11:23:00 PM, on 3/20/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\mgabg.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\RioMSC.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\Fast.exe

C:\windows\system\hpsysdrv.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\System32\PDesk\PDesk.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\taskswitch.exe

C:\WINDOWS\System32\fast.exe

C:\Program Files\KFH\cl\launcher.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\program files\common files\system\ms2src.exe

C:\SCANJET\PrecisionScanPro\HPLamp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\SCANJET\PrecisionScanPro\hpscnsvr.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE

C:\program files\common files\system\mplay64.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Installation Files\Spy Ware\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe

O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch

O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe

O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe

O4 - HKLM\..\Run: [Launcher] "C:\Program Files\KFH\cl\launcher.exe" /P

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [Windows Taskbar Manager] c:\documents and settings\all users\start menu\programs\startup\service.exe.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [MPlay64] c:\program files\common files\system\mplay64.exe /noerrorinfo

O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe

O4 - HKLM\..\Run: [ms2src] c:\program files\common files\system\ms2src.exe /install

O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: APC UPS Status.lnk = ?

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKEN2004\bagent.exe

O4 - Global Startup: Share Scanner.lnk = C:\SCANJET\PrecisionScanPro\hpscnsvr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Link to post
Share on other sites

Welcome back!

Please scan with HJT and place a check next to the following items:

O4 - HKLM\..\Run: [Launcher] "C:\Program Files\KFH\cl\launcher.exe" /P

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [Windows Taskbar Manager] c:\documents and settings\all users\start menu\programs\startup\service.exe.exe

O4 - HKLM\..\Run: [MPlay64] c:\program files\common files\system\mplay64.exe /noerrorinfo

O4 - HKLM\..\Run: [ms2src] c:\program files\common files\system\ms2src.exe /install

Then make sure all other applications and browser windows are closed, and click the Fix Checked button.

Boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Once in safe mode, find and delete the following files:

c:\documents and settings\all users\start menu\programs\startup\service.exe.exe

c:\program files\common files\system\mplay64.exe

c:\program files\common files\system\ms2src.exe

And find and delete the following folders:

C:\Program Files\KFH\cl\

C:\Program Files\Viewpoint\

Finally, reboot your computer normally, rescan with HJT and post a new log.

Link to post
Share on other sites
  • 3 weeks later...
Guest
This topic is now closed to further replies.