Help On Hijacklog Pls! Systray Icon[RESOLVED]


Recommended Posts

Hi, please help me to remove my spyware, I download a program and after that, I start to see a icon on my system tray, the icon with window help icon logo flashing with stop sign. Help please.

I already tired Norton Anti-virus and 5 different spyware remover programs, problem still exist, when I open IE, it goes to a different homepage, also, there is a message appear right above the system tray icon, telling me I need their spyware remover 'antimalware' then it goes to this page hxxp://www.spywarequake.com/?aff=252

Link Edited to make "Non-Clickable" JWB

Logfile of HijackThis v1.99.1

Scan saved at 9:10:19 PM, on 6/22/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\QUICKENW\QAGENT.EXE

C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe

C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\WINDOWS\system32\mrtMngr.EXE

C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe

C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

C:\PROGRA~1\SlimQ\Fahid.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Virtual Account Numbers\CitiUCS.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\WINDOWS\system32\c329b8f7.exe

C:\Program Files\Yahoo!\Messenger\ypager.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Program Files\palmOne\Hotsync.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\TEMP\win302.tmp.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\TEMP\win307.tmp.exe

C:\Documents and Settings\CoCo\Local Settings\Temp\HijackThis.exe

O1 - Hosts: 199.182.179.252 batman

O1 - Hosts: 199.182.179.122 pochacco

O1 - Hosts: 199.182.179.253 spiderman

O1 - Hosts: 199.182.179.242 superman

O1 - Hosts: 199.182.179.247 pita

O1 - Hosts: 199.182.179.240 zorro

O1 - Hosts: 199.182.179.250 pokemon

O1 - Hosts: 199.182.179.251 hercules

O1 - Hosts: 199.182.179.249 zeus

O1 - Hosts: 199.182.179.210 borman

O1 - Hosts: 199.182.179.241 scoobydoo

O1 - Hosts: 199.182.179.199 gateway

O1 - Hosts: 199.182.179.11 galaxy

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE

O4 - HKLM\..\Run: [uFD Monitor] C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe

O4 - HKLM\..\Run: [uFD Utility] C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe

O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe

O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [FAhid] C:\PROGRA~1\SlimQ\Fahid.exe

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [CitiUCS] C:\Program Files\Virtual Account Numbers\CitiUCS.exe /dontopenmycards

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [c329b8f7.exe] C:\WINDOWS\system32\c329b8f7.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

O4 - HKCU\..\Run: [c329b8f7.exe] C:\Documents and Settings\CoCo\Local Settings\Application Data\c329b8f7.exe

O4 - HKCU\..\Run: [Luoqhya] C:\WINDOWS\SYSTEM32\SSEMBL~1\mmc.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx

O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx

O9 - Extra button: UCS - {4C730923-3961-439b-83D5-F4E445520422} - C:\Program Files\Virtual Account Numbers\CitiUCS.exe

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\HPCMDTY.DLL (file missing) (HKCU)

O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)

O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/DVInstaller.exe

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggerne...oaderSigned.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O19 - User stylesheet: (file missing)

O20 - AppInit_DLLs: C:\WINDOWS\system32\chkdsk.dll

O23 - Service: Apache2Triad Apache2 Service (Apache2) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2 -k runservice (file missing)

O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2(SSL)) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2(SSL) -k runservice -D SSL (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:/apache2/mysql/bin/mysqld.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE

O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: Apache2Triad SlimFTPd Server (SlimFTPd) - Unknown owner - C:\apache2\mail\bin\XMail.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Edited by jwbirdsong
Link to post
Share on other sites

Hi and welcome to Besttechie! I will be assisting you!

Please print out all directions given, for use if/when you cannot access this page.

Please download SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

Link to post
Share on other sites
Hi and welcome to Besttechie! I will be assisting you!

Please print out all directions given, for use if/when you cannot access this page.

Please download SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

Link to post
Share on other sites

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply, along with a new HJT log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Link to post
Share on other sites
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer

  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

  • Instead of Windows loading as normal, a menu with options should appear;

  • Select the first option, to run Windows in Safe Mode, then press "Enter".

  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply, along with a new HJT log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Link to post
Share on other sites

Welcome back! We've got more work to do.

Jotti File Submission:

  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\tsnp2std.exe

    [*] Click on the submit button

    [*] Please post the results in your next reply.

Repeat the previous steps for the following files:

  • C:\WINDOWS\vsnp2std.exe
  • C:\WINDOWS\system32\c329b8f7.exe
  • C:\WINDOWS\system32\9ea5b5e7.exe
  • C:\WINDOWS\system32\comdlg32.ocx
  • C:\WINDOWS\system32\notepad.dll

Please scan with HJT and place a check next to the following items:

O1 - Hosts: 199.182.179.252 batman

O1 - Hosts: 199.182.179.122 pochacco

O1 - Hosts: 199.182.179.253 spiderman

O1 - Hosts: 199.182.179.242 superman

O1 - Hosts: 199.182.179.247 pita

O1 - Hosts: 199.182.179.240 zorro

O1 - Hosts: 199.182.179.250 pokemon

O1 - Hosts: 199.182.179.251 hercules

O1 - Hosts: 199.182.179.249 zeus

O1 - Hosts: 199.182.179.210 borman

O1 - Hosts: 199.182.179.241 scoobydoo

O1 - Hosts: 199.182.179.199 gateway

O1 - Hosts: 199.182.179.11 galaxy

O4 - HKCU\..\Run: [Luoqhya] C:\WINDOWS\SYSTEM32\SSEMBL~1\mmc.exe

O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SKS~1\wuaclt.exe" -vt yazr

O4 - HKCU\..\Run: [Dfoat] C:\Documents and Settings\CoCo\My Documents\?racle\services.exe

O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggerne...oaderSigned.cab

O19 - User stylesheet: (file missing)

Then, make sure all browser windows and other applications are closed, and click the Fix Checked button.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.

    [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\SYSTEM32\SSEMBL~1\mmc.exe

    C:\PROGRA~1\SKS~1\wuaclt.exe

    [*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

    [*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Next, Navigate to C:\Documents and Settings\CoCo\My Documents\ and loog for a folder named ?racle. Note: the "?" will replaced by a random character. To make sure you have the correct folder, open it up and look for a file named services.exe. Once you are sure you have found the correct folder, go back and delete the ?racle folder. If you have any doubt whether or not you have found the correct folder, post back and don't do anything.

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

First download ewido anti-spyware from HERE and save that file to your desktop.

This is a 30 day trial of the program

  1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  2. Once the setup is complete you will need run ewido and update the definition files.
  3. On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".

[*]Under "Reports"

  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

  1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  2. Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  4. ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  5. If you have any infections you will prompted, then select "Apply all actions"
  6. Next select the "Reports" icon at the top.
  7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  8. Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.

Finally, post back with ALL 6 Jotti Scan Results, the Ewido Report, and a new HJT log.

Matt

Link to post
Share on other sites
Welcome back! We've got more work to do.

Jotti File Submission:

  • Please go to Jotti's malware scan

  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\tsnp2std.exe

    [*] Click on the submit button

    [*] Please post the results in your next reply.

Repeat the previous steps for the following files:

  • C:\WINDOWS\vsnp2std.exe

  • C:\WINDOWS\system32\c329b8f7.exe

  • C:\WINDOWS\system32\9ea5b5e7.exe

  • C:\WINDOWS\system32\comdlg32.ocx

  • C:\WINDOWS\system32\notepad.dll

Please scan with HJT and place a check next to the following items:

O1 - Hosts: 199.182.179.252 batman

O1 - Hosts: 199.182.179.122 pochacco

O1 - Hosts: 199.182.179.253 spiderman

O1 - Hosts: 199.182.179.242 superman

O1 - Hosts: 199.182.179.247 pita

O1 - Hosts: 199.182.179.240 zorro

O1 - Hosts: 199.182.179.250 pokemon

O1 - Hosts: 199.182.179.251 hercules

O1 - Hosts: 199.182.179.249 zeus

O1 - Hosts: 199.182.179.210 borman

O1 - Hosts: 199.182.179.241 scoobydoo

O1 - Hosts: 199.182.179.199 gateway

O1 - Hosts: 199.182.179.11 galaxy

O4 - HKCU\..\Run: [Luoqhya] C:\WINDOWS\SYSTEM32\SSEMBL~1\mmc.exe

O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SKS~1\wuaclt.exe" -vt yazr

O4 - HKCU\..\Run: [Dfoat] C:\Documents and Settings\CoCo\My Documents\?racle\services.exe

O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggerne...oaderSigned.cab

O19 - User stylesheet: (file missing)

Then, make sure all browser windows and other applications are closed, and click the Fix Checked button.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.

  • Please double-click Killbox.exe to run it.

  • Select:
    • Delete on Reboot

    • then Click on the All Files button.

    [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\SYSTEM32\SSEMBL~1\mmc.exe

    C:\PROGRA~1\SKS~1\wuaclt.exe

    [*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

    [*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Next, Navigate to C:\Documents and Settings\CoCo\My Documents\ and loog for a folder named ?racle. Note: the "?" will replaced by a random character. To make sure you have the correct folder, open it up and look for a file named services.exe. Once you are sure you have found the correct folder, go back and delete the ?racle folder. If you have any doubt whether or not you have found the correct folder, post back and don't do anything.

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.

    Under Main choose: Select All

    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All

    Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All

    Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

First download ewido anti-spyware from HERE and save that file to your desktop.

This is a 30 day trial of the program

  1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.

  2. Once the setup is complete you will need run ewido and update the definition files.

  3. On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".

[*]Under "Reports"

  • Select "Automatically generate report after every scan"

  • Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

  1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:

  2. Lauch ewido-anti-spyware by double-clicking the icon on your desktop.

  3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".

  4. ewido will now begin the scanning process, be patient this may take a little time.

    Once the scan is complete do the following:

  5. If you have any infections you will prompted, then select "Apply all actions"

  6. Next select the "Reports" icon at the top.

  7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).

  8. Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.

Finally, post back with ALL 6 Jotti Scan Results, the Ewido Report, and a new HJT log.

Matt

Link to post
Share on other sites

Welcome back! We've got more work to do.

Jotti File Submission:

  • Please go to Jotti's malware scan

  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\tsnp2std.exe

    [*] Click on the submit button

    [*] Please post the results in your next reply.

Repeat the previous steps for the following files:

  • C:\WINDOWS\vsnp2std.exe

  • C:\WINDOWS\system32\c329b8f7.exe

  • C:\WINDOWS\system32\9ea5b5e7.exe

  • C:\WINDOWS\system32\comdlg32.ocx

  • C:\WINDOWS\system32\notepad.dll

Please scan with HJT and place a check next to the following items:

O1 - Hosts: 199.182.179.252 batman

O1 - Hosts: 199.182.179.122 pochacco

O1 - Hosts: 199.182.179.253 spiderman

O1 - Hosts: 199.182.179.242 superman

O1 - Hosts: 199.182.179.247 pita

O1 - Hosts: 199.182.179.240 zorro

O1 - Hosts: 199.182.179.250 pokemon

O1 - Hosts: 199.182.179.251 hercules

O1 - Hosts: 199.182.179.249 zeus

O1 - Hosts: 199.182.179.210 borman

O1 - Hosts: 199.182.179.241 scoobydoo

O1 - Hosts: 199.182.179.199 gateway

O1 - Hosts: 199.182.179.11 galaxy

O4 - HKCU\..\Run: [Luoqhya] C:\WINDOWS\SYSTEM32\SSEMBL~1\mmc.exe

O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SKS~1\wuaclt.exe" -vt yazr

O4 - HKCU\..\Run: [Dfoat] C:\Documents and Settings\CoCo\My Documents\?racle\services.exe

O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggerne...oaderSigned.cab

O19 - User stylesheet: (file missing)

Then, make sure all browser windows and other applications are closed, and click the Fix Checked button.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.

  • Please double-click Killbox.exe to run it.

  • Select:
    • Delete on Reboot

    • then Click on the All Files button.

    [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\SYSTEM32\SSEMBL~1\mmc.exe

    C:\PROGRA~1\SKS~1\wuaclt.exe

    [*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

    [*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Next, Navigate to C:\Documents and Settings\CoCo\My Documents\ and loog for a folder named ?racle. Note: the "?" will replaced by a random character. To make sure you have the correct folder, open it up and look for a file named services.exe. Once you are sure you have found the correct folder, go back and delete the ?racle folder. If you have any doubt whether or not you have found the correct folder, post back and don't do anything.

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.

    Under Main choose: Select All

    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All

    Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All

    Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

First download ewido anti-spyware from HERE and save that file to your desktop.

This is a 30 day trial of the program

  1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.

  2. Once the setup is complete you will need run ewido and update the definition files.

  3. On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".

[*]Under "Reports"

  • Select "Automatically generate report after every scan"

  • Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

  1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:

  2. Lauch ewido-anti-spyware by double-clicking the icon on your desktop.

  3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".

  4. ewido will now begin the scanning process, be patient this may take a little time.

    Once the scan is complete do the following:

  5. If you have any infections you will prompted, then select "Apply all actions"

  6. Next select the "Reports" icon at the top.

  7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).

  8. Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.

Finally, post back with ALL 6 Jotti Scan Results, the Ewido Report, and a new HJT log.

Matt

:thumbsup: Thanks so much, I went to oracle folder, however it said access denied when i try to delete it. :(

Link to post
Share on other sites

Hello jay888 .. Sorry for the delay.

Let's get started! You may want to print tthis out for reference.

STEP 1:

Please open HijackThis and place a check next to the following items:

O4 - HKCU\..\Run: [c329b8f7.exe] C:\Documents and Settings\CoCo\Local Settings\Application Data\c329b8f7.exe

O4 - HKCU\..\Run: [9ea5b5e7.exe] C:\Documents and Settings\CoCo\Local Settings\Application Data\9ea5b5e7.exe

O4 - HKCU\..\Run: [Dfoat] C:\DOCUME~1\CoCo\MYDOCU~1\RACLE~1\services.exe

O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SKS~1\wuaclt.exe" -vt ndrv

Close all open windows and browsers (except for HijackThis) and click on Fix Checked.

STEP 2:

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.

    [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\CoCo\Local Settings\Application Data\c329b8f7.exe

    C:\Documents and Settings\CoCo\Local Settings\Application Data\9ea5b5e7.exe

    C:\DOCUME~1\CoCo\MYDOCU~1\RACLE~1\services.exe

    C:\PROGRA~1\SKS~1\wuaclt.exe

    [*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

    [*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

STEP 3:

Please post a fresh HijackThis log along with a new Ewido log. Thanks! :)

Link to post
Share on other sites
Hello jay888 .. Sorry for the delay.

Let's get started! You may want to print tthis out for reference.

STEP 1:

Please open HijackThis and place a check next to the following items:

O4 - HKCU\..\Run: [c329b8f7.exe] C:\Documents and Settings\CoCo\Local Settings\Application Data\c329b8f7.exe

O4 - HKCU\..\Run: [9ea5b5e7.exe] C:\Documents and Settings\CoCo\Local Settings\Application Data\9ea5b5e7.exe

O4 - HKCU\..\Run: [Dfoat] C:\DOCUME~1\CoCo\MYDOCU~1\RACLE~1\services.exe

O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SKS~1\wuaclt.exe" -vt ndrv

Close all open windows and browsers (except for HijackThis) and click on Fix Checked.

STEP 2:

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.

  • Please double-click Killbox.exe to run it.

  • Select:
    • Delete on Reboot

    • then Click on the All Files button.

    [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\CoCo\Local Settings\Application Data\c329b8f7.exe

    C:\Documents and Settings\CoCo\Local Settings\Application Data\9ea5b5e7.exe

    C:\DOCUME~1\CoCo\MYDOCU~1\RACLE~1\services.exe

    C:\PROGRA~1\SKS~1\wuaclt.exe

    [*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

    [*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

STEP 3:

Please post a fresh HijackThis log along with a new Ewido log. Thanks! :)

Link to post
Share on other sites

Hello Jay888, Happy 4th of July!

  1. Please double-click Killbox.exe to run it.
  2. Select:
    • Delete on Reboot
    • then Click on the All Files button.

[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\notepad.dll

[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please post a new Ewido log. Thanks!

Edited by Steamhead
Link to post
Share on other sites
Hello Jay888, Happy 4th of July!
  1. Please double-click Killbox.exe to run it.

  2. Select:
    • Delete on Reboot

    • then Click on the All Files button.

[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\notepad.dll

[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please post a new Ewido log. Thanks!

Link to post
Share on other sites

Hello jay888, :)

Let's finish this up!

STEP 1:

We need to run ATF Cleaner again.

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

STEP 2:

Please go HERE to run Panda's ActiveScan

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

We're almost done!! :D

Link to post
Share on other sites
Hello jay888, :)

Let's finish this up!

STEP 1:

We need to run ATF Cleaner again.

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

STEP 2:

Please go HERE to run Panda's ActiveScan

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

We're almost done!! :D

Hi, I hope this is the last scan, sorry for giving u so much trouble. Thanks so much! :)

:thumbsup:

Incident Status Location

Adware:adware/nowfind Not disinfected c:\windows\system32\cidft.dll

Adware:adware/ncase Not disinfected c:\windows\didduid.ini

Adware:adware/miamore Not disinfected Windows Registry

Adware:adware/alibabar Not disinfected Windows Registry

Adware:adware/morwillsearch Not disinfected Windows Registry

Spyware:spyware/apropos Not disinfected Windows Registry

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\CoCo\Cookies\[email protected][1].txt

Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\CoCo\Cookies\[email protected][2].txt

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\CoCo\Cookies\coco@atdmt[2].txt

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\CoCo\Cookies\coco@doubleclick[1].txt

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\CoCo\Cookies\coco@realmedia[1].txt

Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\CoCo\Cookies\[email protected][1].txt

Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\CoCo\Cookies\coco@trafficmp[2].txt

Link to post
Share on other sites
Hello jay888, :)

Let's finish this up!

STEP 1:

We need to run ATF Cleaner again.

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

STEP 2:

Please go HERE to run Panda's ActiveScan

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

We're almost done!! :D

Yeah! I am so tired of my laptop, so glad u r making my life easier. :) Thanks so much.

:thumbsup: You are awesome, if there is a way for me to make donation, please let me know the link.

Incident Status Location

Adware:adware/nowfind Not disinfected c:\windows\system32\cidft.dll

Adware:adware/ncase Not disinfected c:\windows\didduid.ini

Adware:adware/miamore Not disinfected Windows Registry

Adware:adware/alibabar Not disinfected Windows Registry

Adware:adware/morwillsearch Not disinfected Windows Registry

Spyware:spyware/apropos Not disinfected Windows Registry

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\CoCo\Cookies\[email protected][1].txt

Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\CoCo\Cookies\[email protected][2].txt

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\CoCo\Cookies\coco@atdmt[2].txt

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\CoCo\Cookies\coco@doubleclick[1].txt

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\CoCo\Cookies\coco@realmedia[1].txt

Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\CoCo\Cookies\[email protected][1].txt

Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\CoCo\Cookies\coco@trafficmp[2].txt

Link to post
Share on other sites
Can i see one more HJT log please? :)

Please check for me. It seems that the pop up still happening.

Logfile of HijackThis v1.99.1

Scan saved at 10:43:58 PM, on 7/9/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\QUICKENW\QAGENT.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe

C:\WINDOWS\system32\mrtMngr.EXE

C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe

C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

C:\PROGRA~1\SlimQ\Fahid.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Virtual Account Numbers\CitiUCS.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\palmOne\Hotsync.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\CoCo\My Documents\Appz\hijack\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE

O4 - HKLM\..\Run: [uFD Monitor] C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe

O4 - HKLM\..\Run: [uFD Utility] C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe

O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe

O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [FAhid] C:\PROGRA~1\SlimQ\Fahid.exe

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [CitiUCS] C:\Program Files\Virtual Account Numbers\CitiUCS.exe /dontopenmycards

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx

O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx

O9 - Extra button: UCS - {4C730923-3961-439b-83D5-F4E445520422} - C:\Program Files\Virtual Account Numbers\CitiUCS.exe

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\HPCMDTY.DLL (file missing) (HKCU)

O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)

O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/DVInstaller.exe

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - AppInit_DLLs: C:\WINDOWS\system32\chkdsk.dll C:\WINDOWS\system32\notepad.dll

O23 - Service: Apache2Triad Apache2 Service (Apache2) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2 -k runservice (file missing)

O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2(SSL)) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2(SSL) -k runservice -D SSL (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:/apache2/mysql/bin/mysqld.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE

O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: Apache2Triad SlimFTPd Server (SlimFTPd) - Unknown owner - C:\apache2\mail\bin\XMail.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Link to post
Share on other sites
Hi again jay888! :) I'll be "re-taking" over assisting you now, as its Steamhead's turn to go out of town! :lol::wacko:

Anyway, please post a fresh HJT log, and we can continue. :thumbsup:

Matt

Welcome back, Matt, hope u have a nice vacation. :):thumbsup:

Unfortunately, I am still having spyware popping up. :(

Logfile of HijackThis v1.99.1

Scan saved at 11:50:48 PM, on 7/13/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\QUICKENW\QAGENT.EXE

C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe

C:\WINDOWS\system32\mrtMngr.EXE

C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe

C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

C:\PROGRA~1\SlimQ\Fahid.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Virtual Account Numbers\CitiUCS.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Program Files\palmOne\Hotsync.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\CoCo\My Documents\Appz\hijack\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE

O4 - HKLM\..\Run: [uFD Monitor] C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe

O4 - HKLM\..\Run: [uFD Utility] C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe

O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe

O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [FAhid] C:\PROGRA~1\SlimQ\Fahid.exe

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [CitiUCS] C:\Program Files\Virtual Account Numbers\CitiUCS.exe /dontopenmycards

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx

O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx

O9 - Extra button: UCS - {4C730923-3961-439b-83D5-F4E445520422} - C:\Program Files\Virtual Account Numbers\CitiUCS.exe

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\HPCMDTY.DLL (file missing) (HKCU)

O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)

O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/DVInstaller.exe

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - AppInit_DLLs: C:\WINDOWS\system32\chkdsk.dll C:\WINDOWS\system32\notepad.dll

O23 - Service: Apache2Triad Apache2 Service (Apache2) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2 -k runservice (file missing)

O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2(SSL)) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2(SSL) -k runservice -D SSL (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:/apache2/mysql/bin/mysqld.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE

O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: Apache2Triad SlimFTPd Server (SlimFTPd) - Unknown owner - C:\apache2\mail\bin\XMail.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Link to post
Share on other sites

Jotti File Submission:

  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\tsnp2std.exe

    [*] Click on the submit button

    Repeat the previous steps with the following files:

    C:\WINDOWS\vsnp2std.exe

    C:\WINDOWS\system32\chkdsk.dll

    [*] Please post the 3 results in your next reply.

Matt

Link to post
Share on other sites
Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\tsnp2std.exe

    [*] Click on the submit button

    Repeat the previous steps with the following files:

    C:\WINDOWS\vsnp2std.exe

    C:\WINDOWS\system32\chkdsk.dll

    [*] Please post the 3 results in your next reply.

Matt

Hi, Sorry for late reply, I've been trying hard to use this website, it froze on me many times because of my spyware?

Please let me know what else I need to check, thanks so much. :thumbsup:

Service load: 0% 100%

File: tsnp2std.exe

Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

MD5 51615816c80529488db618e3d78057a5

Packers detected: -

Scanner results

AntiVir Found nothing

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

Fortinet Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

UNA Found nothing

VirusBuster Found nothing

VBA32 Found nothing

File: vsnp2std.exe

Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

MD5 5da1d493d24550d92f1407d3509df2b6

Packers detected: -

Scanner results

AntiVir Found nothing

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

Fortinet Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

UNA Found nothing

VirusBuster Found nothing

VBA32 Found nothing

C:\WINDOWS\system32\chkdsk.dll

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Link to post
Share on other sites

Welcome back!

Please scan with HJT and place a check next to the following item:

O20 - AppInit_DLLs: C:\WINDOWS\system32\chkdsk.dll C:\WINDOWS\system32\notepad.dll

Then, make sure all browser windows and other applications are closed, and click the Fix Checked button.

Please double-click Killbox.exe to run it.

  • Select:
    • Delete on Reboot
    • then Click on the All Files button.

    [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\chkdsk.dll

    C:\WINDOWS\system32\notepad.dll

    [*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

    [*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Run another Ewido scan.

Post back the Ewido report and a new HJT log.

Matt

Link to post
Share on other sites
Welcome back!

Please scan with HJT and place a check next to the following item:

O20 - AppInit_DLLs: C:\WINDOWS\system32\chkdsk.dll C:\WINDOWS\system32\notepad.dll

Then, make sure all browser windows and other applications are closed, and click the Fix Checked button.

Please double-click Killbox.exe to run it.

  • Select:
    • Delete on Reboot
    • then Click on the All Files button.

    [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\chkdsk.dll

    C:\WINDOWS\system32\notepad.dll

    [*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.

    [*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Run another Ewido scan.

Post back the Ewido report and a new HJT log.

Matt

Hi, I got PendingFileRenameOperations prompt on both file. :(

---------------------------------------------------------

ewido anti-spyware - Scan Report

---------------------------------------------------------

+ Created at: 11:42:43 AM 7/21/2006

+ Scan result:

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP224\A0050204.exe -> Adware.PurityScan : No action taken.

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP217\A0048732.dll -> Not-A-Virus.Hoax.Win32.Renos.dt : No action taken.

C:\apache2\opssl\bin\libssl32.dll -> Not-A-Virus.NetTool.Win32.STunnel.404 : No action taken.

C:\Documents and Settings\CoCo\Cookies\coco@2o7[2].txt -> TrackingCookie.2o7 : No action taken.

C:\Documents and Settings\CoCo\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.

C:\Documents and Settings\Jessica\Cookies\jessica@2o7[1].txt -> TrackingCookie.2o7 : No action taken.

C:\Documents and Settings\Jessica\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.

C:\Documents and Settings\CoCo\Cookies\coco@advertising[2].txt -> TrackingCookie.Advertising : No action taken.

C:\Documents and Settings\CoCo\Cookies\[email protected][2].txt -> TrackingCookie.Advertising : No action taken.

C:\Documents and Settings\Jessica\Cookies\jessica@advertising[1].txt -> TrackingCookie.Advertising : No action taken.

C:\Documents and Settings\CoCo\Cookies\coco@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.

C:\Documents and Settings\Jessica\Cookies\jessica@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.

C:\Documents and Settings\CoCo\Cookies\[email protected][1].txt -> TrackingCookie.Bridgetrack : No action taken.

C:\Documents and Settings\CoCo\Cookies\coco@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.

C:\Documents and Settings\CoCo\Cookies\coco@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.

C:\Documents and Settings\Jessica\Cookies\jessica@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.

C:\Documents and Settings\CoCo\Cookies\[email protected][2].txt -> TrackingCookie.Euroclick : No action taken.

C:\Documents and Settings\CoCo\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : No action taken.

C:\Documents and Settings\CoCo\Cookies\coco@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.

C:\Documents and Settings\Jessica\Cookies\jessica@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.

C:\Documents and Settings\CoCo\Cookies\coco@overture[1].txt -> TrackingCookie.Overture : No action taken.

C:\Documents and Settings\CoCo\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : No action taken.

C:\Documents and Settings\Jessica\Cookies\jessica@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.

C:\Documents and Settings\CoCo\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : No action taken.

C:\Documents and Settings\Jessica\Cookies\[email protected][1].txt -> TrackingCookie.Reliablestats : No action taken.

C:\Documents and Settings\CoCo\Cookies\coco@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.

C:\Documents and Settings\Jessica\Cookies\jessica@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.

C:\Documents and Settings\CoCo\Cookies\coco@trafficmp[1].txt -> TrackingCookie.Trafficmp : No action taken.

C:\Documents and Settings\CoCo\Cookies\coco@valueclick[1].txt -> TrackingCookie.Valueclick : No action taken.

C:\Documents and Settings\CoCo\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.

C:\Documents and Settings\CoCo\Cookies\coco@zedo[1].txt -> TrackingCookie.Zedo : No action taken.

C:\Documents and Settings\Jessica\Cookies\jessica@zedo[2].txt -> TrackingCookie.Zedo : No action taken.

::Report end

So I reboot the machine manually then do a ewido scan and HJT. Please help. :)

After the ewido scan, I applied all action to delete it.

Logfile of HijackThis v1.99.1

Scan saved at 11:52:18 AM, on 7/21/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\QUICKENW\QAGENT.EXE

C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe

C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

C:\WINDOWS\system32\mrtMngr.EXE

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe

C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

C:\PROGRA~1\SlimQ\Fahid.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Virtual Account Numbers\CitiUCS.exe

C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\palmOne\Hotsync.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\CoCo\My Documents\Appz\hijack\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE

O4 - HKLM\..\Run: [uFD Monitor] C:\Program Files\USB Flash Disk Utility\UFD Utility\UFDMon.exe

O4 - HKLM\..\Run: [uFD Utility] C:\Program Files\USB Flash Disk Utility\UFD Utility\USBTD.exe

O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe

O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

O4 - HKLM\..\Run: [FAhid] C:\PROGRA~1\SlimQ\Fahid.exe

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [CitiUCS] C:\Program Files\Virtual Account Numbers\CitiUCS.exe /dontopenmycards

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx

O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx

O9 - Extra button: UCS - {4C730923-3961-439b-83D5-F4E445520422} - C:\Program Files\Virtual Account Numbers\CitiUCS.exe

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\HPCMDTY.DLL (file missing) (HKCU)

O9 - Extra button: Microsoft® JavaScript® Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console - {46AF0B81-0578-42DD-B20C-2ECF0EA31A4F} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)

O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/DVInstaller.exe

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: Apache2Triad Apache2 Service (Apache2) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2 -k runservice (file missing)

O23 - Service: Apache2Triad Apache2 Service with SSL (Apache2(SSL)) - Unknown owner - c:\apache2\bin\apache.exe" -n Apache2(SSL) -k runservice -D SSL (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Apache2Triad MySql Service (MySql) - Unknown owner - C:/apache2/mysql/bin/mysqld.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE

O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: Apache2Triad SlimFTPd Server (SlimFTPd) - Unknown owner - C:\apache2\mail\bin\XMail.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Thanks so much for ur continous support, I really apprieciated.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.