View Full Version : help needed spyware removal
joyacacia
02-15-2005, 09:34 PM
hi there, i use spywareguard, noadware, spybot, ad-aware se, a-squared, cwshredder, fxistbar and also nortons nav& internet security. I keep getting hijacked and infected with LOP and istbar. My results from hijackthis
Logfile of HijackThis v1.99.0
Scan saved at 4:21:36 PM, on 16/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\pymdsb.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\WINZIP\winzip32.exe
c:\progra~1\intern~1\iexplore.exe
C:\Documents and Settings\Karen.REEDMAN\Local Settings\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hxomzniveuqqczsronhxngld.com/NRSFCRKFIzgDKZMRlK_WFeYNGoiJ77mRbKF43v9E_PxWP80/yrAtVgEOLyJZzis2.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mswspl] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe"
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Four Bind] C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\defaultc ampknob.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Karen.REEDMAN\Local Settings\Temp\{774A1354-6A34-48CB-9EF5-EB0529329520}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.ozemail.com.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{424AC613-C17A-4E24-BAD2-A87DBE7EC3A6}: NameServer = 210.80.58.34 210.80.58.42
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Anyhelp would be great, dame in distress,
thanks joyacacia
nightowl
02-16-2005, 04:20 PM
A few strange things here, If you recognize any of them and know they are ok then dont delete them. I cant find any info on some of them. The ones I'm not sure about arethe 04 entries in Bold letters.
Reboot To Safe Mode (tap F8 on Startup)
Delete this file
Delete these Files and or Folders
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\pymdsb.exe
Still In Safe Mode Place a check next to each of these and click Fix Checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hxomzniveuqqczsronhxngld...gEOLyJZzis2.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [Four Bind] C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\defaultc ampknob.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Karen.REEDMAN\Local Settings\Temp\{774A1354-6A34-48CB-9EF5-EB0529329520}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{424AC613-C17A-4E24-BAD2-A87DBE7EC3A6}: NameServer = 210.80.58.34 210.80.58.42
Still In Safe Mode Delete all Temporary Internet Files, Cookies, Run AdAware and Spybot,delete what they find , Empty recycle bin.
Then Reboot and post a new log..........Jim
joyacacia
02-17-2005, 05:24 AM
hi jim, thanks for your help, i managed to do as you asked, after deleting the files, spybot showed isearch tech.power scan and adaware was showing istbar in regkey and reg value. clicked onto fix problem, after reboot, spywareguad kept saying the browser was hijacked. I have run spybot after reboot and no threats. Good news.
here is the new log
Logfile of HijackThis v1.99.0
Scan saved at 12:04:34 AM, on 18/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Karen.REEDMAN\Desktop\spyware\hijackthis\ HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://jfguzopmgzufkkmqlaolemids.com/eQ7JEMmzpXr25hmdOId3sVeW9i20dDV8vNkoDTM07TBOTSj81n Hzz_eNFaXfIIBh.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://talfyilmerzbgrzluexn.com/eQ7JEMmzpXojeBGgavWbtbnwGOrUSWXaAQ4vIlmOKzY.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.reset.net.au:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mswspl] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O14 - IERESET.INF: START_PAGE_URL=http://www.ozemail.com.au
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
thanks for your help
karen
justmaar
02-17-2005, 05:31 AM
can someone please help me get rid of the searchmiracle popups?
this is my hijackthis log..
Logfile of HijackThis v1.99.1
Scan saved at 9:23:44 PM, on 2/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AEIWLSVC.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\AEIWLRAD.EXE
C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
C:\Program Files\Hewlett-Packard\HP Mobile Printing Driver\HPBMOBIL.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\System32\mjdrklfs.exe
C:\Program Files\WindowsSA\omniscient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\svchst.exe
C:\WINDOWS\sssasasb32.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\packager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~2\HPUSER~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/homepage-o
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/info/homepage-o
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = web-proxy:8088
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windo ws\System32\wsaupdater.exe,
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [1AEIWLRAD.EXE] AEIWLRAD.EXE
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [HP Mobile Printing Driver] C:\Program Files\Hewlett-Packard\HP Mobile Printing Driver\HPBMOBIL.EXE
O4 - HKLM\..\Run: [HP Presentation Ready] C:\Program Files\Hewlett-Packard\HP Presentation Ready\PresRdy.exe -r
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [brocjl] C:\WINDOWS\System32\mjdrklfs.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SysA] C:\windows\system32\wineys32.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [msnmsgq32] C:\WINDOWS\msnmsgq.exe
O4 - HKLM\..\Run: [MsnExplorer] C:\WINDOWS\svchst.exe /i
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitebsr32.exe
O4 - HKLM\..\Run: [sssasasb32] C:\WINDOWS\sssasasb32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr. exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/homepage-o
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab27571.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP/ClickYesToContinue/bridge.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
O23 - Service: Aeiwsvc - Unknown owner - C:\WINDOWS\system32\AEIWLSVC.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
nightowl
02-17-2005, 02:33 PM
Stuff reloaded here, give it another try
Reboot To Safe Mode (tap F8 on Startup)
Still In Safe Mode Place a check next to each of these and click Fix Checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://jfguzopmgzufkkmqlaolemids.co...eNFaXfIIBh.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://talfyilmerzbgrzluexn.com/eQ7...AQ4vIlmOKzY.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.reset.net.au:8080
O4 - HKLM\..\Run: [mswspl] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.ozemail.com.au
Still In Safe Mode Delete all Temporary Internet Files, Cookies, Run AdAware and Spybot,delete what they find , Empty recycle bin.
Then Reboot and post a new log..........Jim
nightowl
02-17-2005, 02:46 PM
http://forums.designtechnica.com/showthread.php?t=7081
I moved your log here.......Jim
joyacacia
02-18-2005, 02:45 AM
hi jim, well repeated the process but pretty sure some of this stuff keeps reloading itself, keep getting my browser hijacked. Here is the resuts
Logfile of HijackThis v1.99.0
Scan saved at 9:36:04 PM, on 18/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Warez P2P Client\warez.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Karen.REEDMAN\Desktop\spyware\hijackthis\ HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.reset.net.au:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mswspl] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
when you say to delete the cookies, i went to all programes, accessories, system tools, disc cleanup, is the best way to remove cookies?
once again thanks for your help
karen
Joy,
Want to be a genie pig...
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml
Get this prog...
Run it..
at top select...
VIEW,
CLICK everything in there..
SAVE a sample to desktop and post it here..
Its a new prog, want to see how it compares..
Thanks..
joyacacia
02-18-2005, 05:06 AM
here we go
HKLM\System\CurrentControlSet\Services
+ ccEvtMgr Symantec Event Manager Symantec Corporation c:\program files\common files\symantec shared\ccevtmgr.exe
+ ccPxySvc Symantec Proxy Service Symantec Corporation c:\program files\norton internet security\ccpxysvc.exe
+ EPSONStatusAgent2 EPSON Printer Status Agent (Not verified) SEIKO EPSON CORPORATION c:\program files\common files\epson\ebapi\sagent2.exe
+ InCDsrv Helper service for the InCD filesystem driver (Not verified) Ahead Software AG c:\program files\ahead\incd\incdsrv.exe
+ navapsvc Handles Norton AntiVirus Auto-Protect events. Symantec Corporation c:\program files\norton antivirus\navapsvc.exe
+ NISUM Handles Norton Internet Security Account Management Symantec Corporation c:\program files\norton internet security\nisum.exe
+ NProtectService Norton Protection Status (Not verified) Symantec Corporation c:\program files\norton antivirus\advtools\nprotect.exe
+ NVSvc Provides system and desktop level support to the NVIDIA display driver NVIDIA Corporation c:\windows\system32\nvsvc32.exe
+ SBService ScriptBlocking registration Symantec Corporation c:\program files\common files\symantec shared\script blocking\sbserv.exe
+ SymWSC Symantec WMI Service Symantec Corporation c:\program files\common files\symantec shared\security center\symwsc.exe
+ UleadBurningHelper ULCDRSvr (Not verified) Ulead Systems, Inc. c:\program files\common files\ulead systems\dvd\ulcdrsvr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKCU\Software\Policies\Microsoft\Windows\System\Sc ripts\Logon
HKLM\Software\Policies\Microsoft\Windows\System\Sc ripts\Logon
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\Shell
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\Shell
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ Advanced Tools Check Norton AntiVirus Advanced Tools Integrity Checker Symantec Corporation c:\program files\norton antivirus\advtools\advchk.exe
+ AWMON Ad-Watch System Protector (Not verified) Lavasoft Sweden c:\program files\lavasoft\ad-aware se professional\ad-watch.exe
+ ccApp Common Client CC App Symantec Corporation c:\program files\common files\symantec shared\ccapp.exe
+ ccRegVfy Common Client Registry Integrity Verifier Symantec Corporation c:\program files\common files\symantec shared\ccregvfy.exe
+ DAEMON Tools-1033 File not found: C:\Program Files\D-Tools\daemon.exe
+ EPSON Stylus C45 Series EPSON Status Monitor 3 SEIKO EPSON CORPORATION c:\windows\system32\spool\drivers\w32x86\3\e_s4i3t 1.exe
+ gHEayU8P File not found: C:\WINDOWS\pymdsb.exe
+ InCD InCD (Not verified) Ahead Software AG c:\program files\ahead\incd\incd.exe
+ iTunesHelper iTunesHelper Module (Not verified) Apple Computer, Inc. c:\program files\itunes\ituneshelper.exe
+ LOG ROAM HELP WAY c:\documents and settings\all users\application data\cashfastlogroam\itch soft.exe
+ mswspl Realtek Sound Manager (Not verified) Realtek Semiconductor Corp. C:\WINDOWS\soundman.exe
+ NeroFilterCheck NeroCheck (Not verified) Ahead Software Gmbh c:\windows\system32\nerocheck.exe
+ NvCplDaemon NVIDIA Display Properties Extension NVIDIA Corporation c:\windows\system32\nvcpl.dll
+ NvMediaCenter NVIDIA Media Center Library NVIDIA Corporation c:\windows\system32\nvmctray.dll
+ nwiz NVIDIA nView Wizard, Version 66.81 (Not verified) NVIDIA Corporation c:\windows\system32\nwiz.exe
+ PCDRealtime (Not verified) Dell c:\windows\realtime.exe
+ PRONoMgr.exe PRONotifyMgr Module (Not verified) Intel(R) Corporation c:\program files\intel\ncs\proset\pronomgr.exe
+ QuickTime Task (Not verified) Apple Computer, Inc. c:\program files\quicktime\qttask.exe
+ SoundMan Realtek Sound Manager (Not verified) Realtek Semiconductor Corp. C:\WINDOWS\soundman.exe
+ SpyBlocs File not found: C:\Program Files\SpyBlocs\SpyBlocs.exe
+ Symantec NetDriver Monitor Symantec Security Drivers Install Monitor Symantec Corporation c:\program files\symnetdrv\sndmon.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OnceEx
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
+ Adobe Gamma Loader.lnk Adobe Gamma Loader (Not verified) Adobe Systems, Inc. c:\program files\common files\adobe\calibration\adobe gamma loader.exe
+ Adobe Reader Speed Launch.lnk Adobe Acrobat SpeedLauncher (Not verified) Adobe Systems Incorporated c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
+ Image Transfer.lnk c:\program files\sony corporation\image transfer\sonytray.exe
C:\Documents and Settings\Karen.REEDMAN\Start Menu\Programs\Startup
+ PowerReg Scheduler.exe PRegScheduler MFC Application c:\documents and settings\karen.reedman\start menu\programs\startup\powerreg scheduler.exe
+ SpywareGuard.lnk SpywareGuard c:\program files\spywareguard\sgmain.exe
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ a-squared c:\program files\a2\a2guard.exe
+ Symantec NetDriver Monitor Symantec Security Drivers Install Monitor Symantec Corporation c:\program files\symnetdrv\sndmon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once
Task Scheduler
+ Symantec NetDetect.job Symantec NetDetect Symantec Corporation c:\program files\symantec\liveupdate\ndetect.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
+ AcroIEHlprObj Class Adobe Acrobat IE Helper Version 7.0 for ActiveX Adobe Systems Incorporated c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll
+ CNavExtBho Class Norton AntiVirusNAVShellExt Module Symantec Corporation c:\program files\norton antivirus\navshext.dll
+ SpywareGuardDLBLOCK.CBrowserHelper SpywareGuard Download Protection c:\program files\spywareguard\dlprotect.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks
+ spywareguard.dll SpywareGuard Protection c:\program files\spywareguard\spywareguard.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
+ AlcoholShellEx AXShlEx.dll (Not verified) Alcohol Soft Development Team c:\program files\alcohol soft\alcohol 120\axshlex.dll
+ aČ Context Menu Shell Extension c:\program files\a2\a2contmenu.dll
+ Desktop Explorer NVIDIA Desktop Explorer, Version 66.81 (Not verified) NVIDIA Corporation c:\windows\system32\nvshell.dll
+ Desktop Explorer Menu NVIDIA Desktop Explorer, Version 66.81 (Not verified) NVIDIA Corporation c:\windows\system32\nvshell.dll
+ Display Panning CPL Extension File not found: deskpan.dll
+ HyperTerminal Icon Ext HyperTerminal Applet Library Hilgraeve, Inc. c:\windows\system32\hticons.dll
+ iTunes iTunes Mini Player DLL (Not verified) Apple Computer, Inc. c:\program files\itunes\itunesminiplayer.dll
+ My Digital Camera CAMVIEW DLL (Not verified) FotoNation Inc. c:\program files\photodeluxe he 3.0\fotonation explorer\camview.dll
+ NvCpl DesktopContext Class NVIDIA Display Properties Extension NVIDIA Corporation c:\windows\system32\nvcpl.dll
+ nView Desktop Context Menu NVIDIA Desktop Explorer, Version 66.81 (Not verified) NVIDIA Corporation c:\windows\system32\nvshell.dll
+ Play on my TV helper NVIDIA Display Properties Extension NVIDIA Corporation c:\windows\system32\nvcpl.dll
+ QuickSFV Shell Extension QuickSFV Shell Extension (Not verified) Mercedes c:\program files\quicksfv1\qsfvshll.dll
+ Shell Extension for CDRW UDF Shell Extension DLL (Not verified) Ahead Software AG c:\program files\ahead\incd\incdshx.dll
+ spywareguard.dll SpywareGuard Protection c:\program files\spywareguard\spywareguard.dll
+ WinRAR shell extension c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ Norton AntiVirus Norton AntiVirusNAVShellExt Module Symantec Corporation c:\program files\norton antivirus\navshext.dll
is it looking any bettter
karen
+ LOG ROAM HELP WAY c:\documents and settings\all users\application data\cashfastlogroam\itch soft.exe
+ SpyBlocs File not found: C:\Program Files\SpyBlocs\SpyBlocs.exe
NOT A REAL SPYWARE PROGRAM
+ LOG ROAM HELP WAY c:\documents and settings\all users\application data\cashfastlogroam\itch soft.exe
+ gHEayU8P File not found: C:\WINDOWS\pymdsb.exe
Cant find info on this file...... Its NOT windows... I would FIND it and rename OLDpymdsb.exe...and see what happens..
These are what I found here...NONE of this is related to windws...
Night OWl, what you think....Between these 2 programs...use BOTH???
O4 - Global Startup: Image Transfer.lnk = ?
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
C:\Program Files\Warez P2P Client\warez.exe
BAD, NEVEr run this software, it has backdoors INTO YOUR SYSTEM..THERE are NO clean P2P software...Use NEWSGROUPS...much safer..
USE add/remove programs, to remove those you can...
Others, do a system search for, all files, ALL folder, ALL extentions and inside SYSTEM/windows folders.. Erase what you can...then use Hikack to kill what it has, and then in AUTORUN...
RESET,rerun, repost...thanks..
nightowl
02-18-2005, 12:47 PM
Reboot to Safe Mode
Delete these Files and or Folders
C:\Program Files\Warez P2P Client\warez.exe
C:\Program Files\SpyBlocs\SpyBlocs.exe
I think this is a Trojan, it keeps reloading
C:\WINDOWS\pymdsb.exe
rename it so it looks like this: pymdsb.old
Put in Recycle Bin
Still In Safe Mode Place a check next to each of these and click Fix Checked.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.reset.net.au:8080
O4 - HKLM\..\Run: [SpyBlocs] C:\Program Files\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
Empty Recycle Bin and Post a new log........Jim
joyacacia
02-18-2005, 11:32 PM
hi there, i removed warez, searched for c:\windows\pymdsb.exe but no file found, log file
Logfile of HijackThis v1.99.0
Scan saved at 6:21:28 PM, on 19/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareGuard\sgbhp.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Karen.REEDMAN\Desktop\spyware\hijackthis\ HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.agqlylrgnnhpzoejz.com/eQ7JEMmzpXr25hmdOId3sVeW9i20dDV8vNkoDTM07TCt6WWBX3 LzT_eNFaXfIIBh.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mswspl] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{424AC613-C17A-4E24-BAD2-A87DBE7EC3A6}: NameServer = 210.80.58.34 210.80.58.42
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
spybot check clear but adaware showing lop, browser still being hijacked
thanks,
karen
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
REALLy gotta find these 2..
Did you goto TOOLS, under search, and select the options NOT TO HIDE STUFF.
Tools, Options, View...
Desplay compressed
show hidden folders and files
DONT Hide KNOW estentions
DONT HIDE, operating system files..
In the windows DIR, everything is considered HIDDEN...
nightowl
02-19-2005, 12:06 AM
When you search
Click Search, then click All Files and Folders, Scroll Down and click More Advanced Options.
You should see some options to check. Make sure there is a check mark in these 3 boxes.
Search System Folders
Search Hidden Files and Folders
Search Subfolders
All 3 need to be checked, then go back and type in the file name and find the file and kill it,
After you rename and delete, empty recycle Bin and post a new log.
Reboot and post a new log..........jim
joyacacia
02-19-2005, 06:29 AM
hi jim, im not having much luck, did the search as described, no files to be found, then went to regedit, searched for spyblocs and pymdsb.exe. files came up under search assistant, dir acmru, dir 5603 and 5604. so i deleted dir acmru. I also deleted C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM, but after rebooting this has returned and will not let me delete 2 files in the directory.these are cdrom camp exe and coolfiledart. The file ITCH SOFT.exe isnt there.
here is my log
Logfile of HijackThis v1.99.0
Scan saved at 1:18:11 AM, on 20/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Karen.REEDMAN\Desktop\spyware\hijackthis\ HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wkarbpajzergrabfzd.net/eQ7JEMmzpXr25hmdOId3sVeW9i20dDV8vNkoDTM07TD/3VI1hZgh4ueNFaXfIIBh.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {9A5BFAD1-35B6-036F-E29C-66E52CD96E04} - C:\DOCUME~1\KAREN~1.REE\APPLIC~1\STOREM~1\rect barb.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mswspl] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{424AC613-C17A-4E24-BAD2-A87DBE7EC3A6}: NameServer = 210.80.58.34 210.80.58.42
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
thanks
joyacacia
02-19-2005, 06:37 AM
hi jim thought this might give you an idea whats goin on, this is a log from adaware, sorry its a bit long
19/02/2005 12:11:46 AM> Registry modification detected
19/02/2005 12:11:46 AM>
19/02/2005 12:11:46 AM> Root:HKEY_CURRENT_USER
19/02/2005 12:11:46 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:11:46 AM> Value:Four Bind
19/02/2005 12:11:46 AM> Data:
19/02/2005 12:11:46 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 12:11:46 AM>
19/02/2005 12:33:30 AM> Registry modification detected
19/02/2005 12:33:30 AM>
19/02/2005 12:33:30 AM> Root:HKEY_CURRENT_USER
19/02/2005 12:33:30 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:33:30 AM> Value:Four Bind
19/02/2005 12:33:30 AM> Data:
19/02/2005 12:33:30 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 12:33:30 AM>
19/02/2005 12:55:23 AM> Registry modification detected
19/02/2005 12:55:23 AM>
19/02/2005 12:55:23 AM> Root:HKEY_CURRENT_USER
19/02/2005 12:55:23 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:55:23 AM> Value:Four Bind
19/02/2005 12:55:23 AM> Data:
19/02/2005 12:55:23 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 12:55:23 AM>
19/02/2005 1:17:16 AM> Registry modification detected
19/02/2005 1:17:16 AM>
19/02/2005 1:17:16 AM> Root:HKEY_CURRENT_USER
19/02/2005 1:17:16 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 1:17:16 AM> Value:Four Bind
19/02/2005 1:17:16 AM> Data:
19/02/2005 1:17:16 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 1:17:16 AM>
19/02/2005 1:39:09 AM> Registry modification detected
19/02/2005 1:39:09 AM>
19/02/2005 1:39:09 AM> Root:HKEY_CURRENT_USER
19/02/2005 1:39:09 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 1:39:09 AM> Value:Four Bind
19/02/2005 1:39:09 AM> Data:
19/02/2005 1:39:09 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 1:39:09 AM>
19/02/2005 2:01:01 AM> Registry modification detected
19/02/2005 2:01:01 AM>
19/02/2005 2:01:01 AM> Root:HKEY_CURRENT_USER
19/02/2005 2:01:01 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 2:01:01 AM> Value:Four Bind
19/02/2005 2:01:01 AM> Data:
19/02/2005 2:01:01 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 2:01:01 AM>
19/02/2005 2:22:54 AM> Registry modification detected
19/02/2005 2:22:54 AM>
19/02/2005 2:22:54 AM> Root:HKEY_CURRENT_USER
19/02/2005 2:22:54 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 2:22:54 AM> Value:Four Bind
19/02/2005 2:22:54 AM> Data:
19/02/2005 2:22:54 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 2:22:54 AM>
19/02/2005 2:44:47 AM> Registry modification detected
19/02/2005 2:44:47 AM>
19/02/2005 2:44:47 AM> Root:HKEY_CURRENT_USER
19/02/2005 2:44:47 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 2:44:47 AM> Value:Four Bind
19/02/2005 2:44:47 AM> Data:
19/02/2005 2:44:47 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 2:44:47 AM>
19/02/2005 3:06:39 AM> Registry modification detected
19/02/2005 3:06:39 AM>
19/02/2005 3:06:39 AM> Root:HKEY_CURRENT_USER
19/02/2005 3:06:39 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 3:06:39 AM> Value:Four Bind
19/02/2005 3:06:39 AM> Data:
19/02/2005 3:06:39 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 3:06:39 AM>
19/02/2005 3:28:32 AM> Registry modification detected
19/02/2005 3:28:32 AM>
19/02/2005 3:28:32 AM> Root:HKEY_CURRENT_USER
19/02/2005 3:28:32 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 3:28:32 AM> Value:Four Bind
19/02/2005 3:28:32 AM> Data:
19/02/2005 3:28:32 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 3:28:32 AM>
19/02/2005 3:50:26 AM> Registry modification detected
19/02/2005 3:50:26 AM>
19/02/2005 3:50:26 AM> Root:HKEY_CURRENT_USER
19/02/2005 3:50:26 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 3:50:26 AM> Value:Four Bind
19/02/2005 3:50:26 AM> Data:
19/02/2005 3:50:26 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 3:50:26 AM>
19/02/2005 4:12:18 AM> Registry modification detected
19/02/2005 4:12:18 AM>
19/02/2005 4:12:18 AM> Root:HKEY_CURRENT_USER
19/02/2005 4:12:18 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 4:12:18 AM> Value:Four Bind
19/02/2005 4:12:18 AM> Data:
19/02/2005 4:12:18 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 4:12:18 AM>
19/02/2005 4:34:11 AM> Registry modification detected
19/02/2005 4:34:11 AM>
19/02/2005 4:34:11 AM> Root:HKEY_CURRENT_USER
19/02/2005 4:34:11 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 4:34:11 AM> Value:Four Bind
19/02/2005 4:34:11 AM> Data:
19/02/2005 4:34:11 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 4:34:11 AM>
19/02/2005 4:56:04 AM> Registry modification detected
19/02/2005 4:56:04 AM>
19/02/2005 4:56:04 AM> Root:HKEY_CURRENT_USER
19/02/2005 4:56:04 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 4:56:04 AM> Value:Four Bind
19/02/2005 4:56:04 AM> Data:
19/02/2005 4:56:04 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 4:56:04 AM>
19/02/2005 5:18:08 AM> Registry modification detected
19/02/2005 5:18:08 AM>
19/02/2005 5:18:08 AM> Root:HKEY_CURRENT_USER
19/02/2005 5:18:08 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 5:18:08 AM> Value:Four Bind
19/02/2005 5:18:08 AM> Data:
19/02/2005 5:18:08 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 5:18:08 AM>
19/02/2005 5:40:36 AM> Registry modification detected
19/02/2005 5:40:36 AM>
19/02/2005 5:40:36 AM> Root:HKEY_CURRENT_USER
19/02/2005 5:40:36 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 5:40:36 AM> Value:Four Bind
19/02/2005 5:40:36 AM> Data:
19/02/2005 5:40:36 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 5:40:36 AM>
19/02/2005 6:02:53 AM> Registry modification detected
19/02/2005 6:02:53 AM>
19/02/2005 6:02:53 AM> Root:HKEY_CURRENT_USER
19/02/2005 6:02:53 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 6:02:53 AM> Value:Four Bind
19/02/2005 6:02:53 AM> Data:
19/02/2005 6:02:53 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 6:02:53 AM>
19/02/2005 6:24:57 AM> Registry modification detected
19/02/2005 6:24:57 AM>
19/02/2005 6:24:57 AM> Root:HKEY_CURRENT_USER
19/02/2005 6:24:57 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 6:24:57 AM> Value:Four Bind
19/02/2005 6:24:57 AM> Data:
19/02/2005 6:24:57 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 6:24:57 AM>
19/02/2005 6:46:58 AM> Registry modification detected
19/02/2005 6:46:58 AM>
19/02/2005 6:46:58 AM> Root:HKEY_CURRENT_USER
19/02/2005 6:46:58 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 6:46:58 AM> Value:Four Bind
19/02/2005 6:46:58 AM> Data:
19/02/2005 6:46:58 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 6:46:58 AM>
19/02/2005 7:09:03 AM> Registry modification detected
19/02/2005 7:09:03 AM>
19/02/2005 7:09:03 AM> Root:HKEY_CURRENT_USER
19/02/2005 7:09:03 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 7:09:03 AM> Value:Four Bind
19/02/2005 7:09:03 AM> Data:
19/02/2005 7:09:03 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 7:09:03 AM>
19/02/2005 7:31:09 AM> Registry modification detected
19/02/2005 7:31:09 AM>
19/02/2005 7:31:09 AM> Root:HKEY_CURRENT_USER
19/02/2005 7:31:09 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 7:31:09 AM> Value:Four Bind
19/02/2005 7:31:09 AM> Data:
19/02/2005 7:31:09 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 7:31:09 AM>
19/02/2005 7:53:09 AM> Registry modification detected
19/02/2005 7:53:09 AM>
19/02/2005 7:53:09 AM> Root:HKEY_CURRENT_USER
19/02/2005 7:53:09 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 7:53:09 AM> Value:Four Bind
19/02/2005 7:53:09 AM> Data:
19/02/2005 7:53:09 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 7:53:09 AM>
19/02/2005 8:15:08 AM> Registry modification detected
19/02/2005 8:15:08 AM>
19/02/2005 8:15:08 AM> Root:HKEY_CURRENT_USER
19/02/2005 8:15:08 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 8:15:08 AM> Value:Four Bind
19/02/2005 8:15:08 AM> Data:
19/02/2005 8:15:08 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 8:15:08 AM>
19/02/2005 8:37:08 AM> Registry modification detected
19/02/2005 8:37:08 AM>
19/02/2005 8:37:08 AM> Root:HKEY_CURRENT_USER
19/02/2005 8:37:08 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 8:37:08 AM> Value:Four Bind
19/02/2005 8:37:08 AM> Data:
19/02/2005 8:37:08 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 8:37:08 AM>
19/02/2005 8:59:13 AM> Registry modification detected
19/02/2005 8:59:13 AM>
19/02/2005 8:59:13 AM> Root:HKEY_CURRENT_USER
19/02/2005 8:59:13 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 8:59:13 AM> Value:Four Bind
19/02/2005 8:59:13 AM> Data:
19/02/2005 8:59:13 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 8:59:13 AM>
19/02/2005 9:21:12 AM> Registry modification detected
19/02/2005 9:21:12 AM>
19/02/2005 9:21:12 AM> Root:HKEY_CURRENT_USER
19/02/2005 9:21:12 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 9:21:12 AM> Value:Four Bind
19/02/2005 9:21:12 AM> Data:
19/02/2005 9:21:12 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 9:21:12 AM>
19/02/2005 9:43:18 AM> Registry modification detected
19/02/2005 9:43:18 AM>
19/02/2005 9:43:18 AM> Root:HKEY_CURRENT_USER
19/02/2005 9:43:18 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 9:43:18 AM> Value:Four Bind
19/02/2005 9:43:18 AM> Data:
19/02/2005 9:43:18 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 9:43:18 AM>
19/02/2005 10:05:31 AM> Registry modification detected
19/02/2005 10:05:31 AM>
19/02/2005 10:05:31 AM> Root:HKEY_CURRENT_USER
19/02/2005 10:05:31 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 10:05:31 AM> Value:Four Bind
19/02/2005 10:05:31 AM> Data:
19/02/2005 10:05:31 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 10:05:31 AM>
19/02/2005 10:11:28 AM> Registry modification detected
19/02/2005 10:11:28 AM>
19/02/2005 10:11:28 AM> Root:HKEY_CURRENT_USER
19/02/2005 10:11:28 AM> Key:Software\Microsoft\Internet Explorer\Main
19/02/2005 10:11:28 AM> Value:Start Page
19/02/2005 10:11:28 AM> Data:http://talfyilmerzbgrzluexn.com/eQ7JEMmzpXojeBGgavWbtbnwGOrUSWXaAQ4vIlmOKzY.php
19/02/2005 10:11:28 AM> New Data:http://www.google.com
19/02/2005 10:11:28 AM>
19/02/2005 10:11:40 AM> Registry modification detected
19/02/2005 10:11:40 AM>
19/02/2005 10:11:40 AM> Root:HKEY_CURRENT_USER
19/02/2005 10:11:40 AM> Key:Software\Microsoft\Internet Explorer\Main
19/02/2005 10:11:40 AM> Value:Start Page
19/02/2005 10:11:40 AM> Data:http://talfyilmerzbgrzluexn.com/eQ7JEMmzpXojeBGgavWbtbnwGOrUSWXaAQ4vIlmOKzY.php
19/02/2005 10:11:40 AM> New Data:http://www.google.com
19/02/2005 10:11:40 AM>
19/02/2005 10:11:43 AM> Registry modification detected
19/02/2005 10:11:43 AM>
19/02/2005 10:11:43 AM> Root:HKEY_CURRENT_USER
19/02/2005 10:11:43 AM> Key:Software\Microsoft\Internet Explorer\Main
19/02/2005 10:11:43 AM> Value:Start Page
19/02/2005 10:11:43 AM> Data:http://talfyilmerzbgrzluexn.com/eQ7JEMmzpXojeBGgavWbtbnwGOrUSWXaAQ4vIlmOKzY.php
19/02/2005 10:11:43 AM> New Data:http://www.google.com
19/02/2005 10:11:43 AM>
19/02/2005 10:31:45 AM> Registry modification detected
19/02/2005 10:31:45 AM>
19/02/2005 10:31:45 AM> Root:HKEY_CURRENT_USER
19/02/2005 10:31:45 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 10:31:45 AM> Value:Four Bind
19/02/2005 10:31:45 AM> Data:
19/02/2005 10:31:45 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 10:31:45 AM>
19/02/2005 12:43:30 PM> Registry modification detected
19/02/2005 12:43:30 PM>
19/02/2005 12:43:30 PM> Root:HKEY_LOCAL_MACHINE
19/02/2005 12:43:30 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:43:30 PM> Value:mswspl
19/02/2005 12:43:30 PM> Data:SOUNDMAN.EXE
19/02/2005 12:43:30 PM> New Data:
19/02/2005 12:43:30 PM>
19/02/2005 12:43:31 PM> Registry modification detected
19/02/2005 12:43:31 PM>
19/02/2005 12:43:31 PM> Root:HKEY_LOCAL_MACHINE
19/02/2005 12:43:31 PM> Key:Software\Microsoft\Internet Explorer\Search
19/02/2005 12:43:31 PM> Value:CustomizeSearch
19/02/2005 12:43:31 PM> Data:http://minisearch.startnow.com/
19/02/2005 12:43:31 PM> New Data:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
19/02/2005 12:43:31 PM>
19/02/2005 12:43:33 PM> Registry modification detected
19/02/2005 12:43:33 PM>
19/02/2005 12:43:33 PM> Root:HKEY_LOCAL_MACHINE
19/02/2005 12:43:33 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:43:33 PM> Value:DAEMON Tools-1033
19/02/2005 12:43:33 PM> Data:"C:\Program Files\D-Tools\daemon.exe" -lang 1033
19/02/2005 12:43:33 PM> New Data:
19/02/2005 12:43:33 PM>
19/02/2005 12:43:33 PM> Registry modification detected
19/02/2005 12:43:33 PM>
19/02/2005 12:43:33 PM> Root:HKEY_LOCAL_MACHINE
19/02/2005 12:43:33 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:43:33 PM> Value:SpyBlocs
19/02/2005 12:43:33 PM> Data:C:\Program Files\SpyBlocs\SpyBlocs.exe
19/02/2005 12:43:33 PM> New Data:
19/02/2005 12:43:33 PM>
19/02/2005 12:43:34 PM> Registry modification detected
19/02/2005 12:43:34 PM>
19/02/2005 12:43:34 PM> Root:HKEY_LOCAL_MACHINE
19/02/2005 12:43:34 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:43:34 PM> Value:LOG ROAM HELP WAY
19/02/2005 12:43:34 PM> Data:C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
19/02/2005 12:43:34 PM> New Data:
19/02/2005 12:43:34 PM>
19/02/2005 12:43:34 PM> Registry modification detected
19/02/2005 12:43:34 PM>
19/02/2005 12:43:34 PM> Root:HKEY_LOCAL_MACHINE
19/02/2005 12:43:34 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:43:34 PM> Value:gHEayU8P
19/02/2005 12:43:34 PM> Data:C:\WINDOWS\pymdsb.exe
19/02/2005 12:43:34 PM> New Data:
19/02/2005 12:43:34 PM>
19/02/2005 1:26:02 PM> Registry modification detected
19/02/2005 1:26:02 PM>
19/02/2005 1:26:02 PM> Root:HKEY_CURRENT_USER
19/02/2005 1:26:02 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 1:26:02 PM> Value:Four Bind
19/02/2005 1:26:02 PM> Data:
19/02/2005 1:26:02 PM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 1:26:02 PM>
19/02/2005 3:52:08 PM> Registry modification detected
19/02/2005 3:52:08 PM>
19/02/2005 3:52:08 PM> Root:HKEY_CURRENT_USER
19/02/2005 3:52:08 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 3:52:08 PM> Value:Four Bind
19/02/2005 3:52:08 PM> Data:
19/02/2005 3:52:08 PM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 3:52:08 PM>
19/02/2005 4:11:50 PM> Tracking cookie blocked.
19/02/2005 4:11:50 PM> Last Sync Time: 19/02/2005 4:11:46 PM
19/02/2005 4:11:50 PM> Name: Cookie:karen@revenue.net/
19/02/2005 4:11:50 PM> Size: 166 Bytes.
19/02/2005 4:11:50 PM> Hits: 1
19/02/2005 4:11:50 PM> UseCount: 0
19/02/2005 4:11:50 PM> Expires: 10/06/2022 4:05:42 PM
19/02/2005 4:11:50 PM>
19/02/2005 5:16:00 PM> Popup blocked (http://w.00fun.com/w.php?s=00fun&p=3536.html&e=c3dlZXRrYXR0eXBpZUBob3RtYWlsLmNvbQ== - Microsoft Internet Explorer)
19/02/2005 5:16:00 PM> 19/02/2005 5:16:00 PM: Popup blocked "http://w.00fun.com/w.php?s=00fun&p=3536.html&e=c3dlZXRrYXR0eXBpZUBob3RtYWlsLmNvbQ== - Microsoft Internet Explorer"
19/02/2005 5:16:00 PM> Browser event
19/02/2005 5:16:00 PM> Parentprocess:
19/02/2005 5:16:00 PM> "http://w.00fun.com/w.php?s=00fun&p=3536.html&e=c3dlZXRrYXR0eXBpZUBob3RtYWlsLmNvbQ== - Microsoft Internet Explorer"
19/02/2005 5:16:00 PM> Handle:399441920
19/02/2005 5:16:00 PM> Classname:WorkerW
19/02/2005 5:16:00 PM>
19/02/2005 5:16:51 PM> Popup blocked (http://w.00fun.com/w.php?s=00fun&p=3536.html&e=c3dlZXRrYXR0eXBpZUBob3RtYWlsLmNvbQ== - Microsoft Internet Explorer)
19/02/2005 5:16:51 PM> 19/02/2005 5:16:51 PM: Popup blocked "http://w.00fun.com/w.php?s=00fun&p=3536.html&e=c3dlZXRrYXR0eXBpZUBob3RtYWlsLmNvbQ== - Microsoft Internet Explorer"
19/02/2005 5:16:51 PM> Browser event
19/02/2005 5:16:51 PM> Parentprocess:
19/02/2005 5:16:51 PM> "http://w.00fun.com/w.php?s=00fun&p=3536.html&e=c3dlZXRrYXR0eXBpZUBob3RtYWlsLmNvbQ== - Microsoft Internet Explorer"
19/02/2005 5:16:51 PM> Handle:399441920
19/02/2005 5:16:51 PM> Classname:WorkerW
19/02/2005 5:16:51 PM>
19/02/2005 5:17:06 PM> Popup blocked (http://w.00fun.com/w.php?s=00fun&p=3536.html&e=c3dlZXRrYXR0eXBpZUBob3RtYWlsLmNvbQ== - Microsoft Internet Explorer)
19/02/2005 5:17:06 PM> 19/02/2005 5:17:06 PM: Popup blocked "http://w.00fun.com/w.php?s=00fun&p=3536.html&e=c3dlZXRrYXR0eXBpZUBob3RtYWlsLmNvbQ== - Microsoft Internet Explorer"
19/02/2005 5:17:06 PM> Browser event
19/02/2005 5:17:06 PM> Parentprocess:
19/02/2005 5:17:06 PM> "http://w.00fun.com/w.php?s=00fun&p=3536.html&e=c3dlZXRrYXR0eXBpZUBob3RtYWlsLmNvbQ== - Microsoft Internet Explorer"
19/02/2005 5:17:06 PM> Handle:399441920
19/02/2005 5:17:06 PM> Classname:WorkerW
19/02/2005 5:17:06 PM>
19/02/2005 6:11:58 PM> Registry modification detected
19/02/2005 6:11:58 PM>
19/02/2005 6:11:58 PM> Root:HKEY_LOCAL_MACHINE
19/02/2005 6:11:58 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 6:11:58 PM> Value:SpyBlocs
19/02/2005 6:11:58 PM> Data:C:\Program Files\SpyBlocs\SpyBlocs.exe
19/02/2005 6:11:58 PM> New Data:
19/02/2005 6:11:58 PM>
19/02/2005 6:12:01 PM> Registry modification detected
19/02/2005 6:12:01 PM>
19/02/2005 6:12:01 PM> Root:HKEY_LOCAL_MACHINE
19/02/2005 6:12:01 PM> Key:Software\Microsoft\Internet Explorer\Search
19/02/2005 6:12:01 PM> Value:CustomizeSearch
19/02/2005 6:12:01 PM> Data:http://minisearch.startnow.com/
19/02/2005 6:12:01 PM> New Data:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
19/02/2005 6:12:01 PM>
19/02/2005 6:20:01 PM> Registry modification detected
19/02/2005 6:20:01 PM>
19/02/2005 6:20:01 PM> Root:HKEY_CURRENT_USER
19/02/2005 6:20:01 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 6:20:01 PM> Value:Four Bind
19/02/2005 6:20:01 PM> Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 6:20:01 PM> New Data:
19/02/2005 6:20:01 PM>
19/02/2005 8:59:22 PM> Registry modification detected
19/02/2005 8:59:22 PM>
19/02/2005 8:59:22 PM> Root:HKEY_CURRENT_USER
19/02/2005 8:59:22 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 8:59:22 PM> Value:Four Bind
19/02/2005 8:59:22 PM> Data:
19/02/2005 8:59:22 PM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 8:59:22 PM>
19/02/2005 10:47:37 PM> Registry modification detected
19/02/2005 10:47:37 PM>
19/02/2005 10:47:37 PM> Root:HKEY_CURRENT_USER
19/02/2005 10:47:37 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 10:47:37 PM> Value:Four Bind
19/02/2005 10:47:37 PM> Data:
19/02/2005 10:47:37 PM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 10:47:37 PM>
19/02/2005 10:56:28 PM> Registry modification detected
19/02/2005 10:56:28 PM>
19/02/2005 10:56:28 PM> Root:HKEY_CURRENT_USER
19/02/2005 10:56:28 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 10:56:28 PM> Value:Four Bind
19/02/2005 10:56:28 PM> Data:
19/02/2005 10:56:28 PM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 10:56:28 PM>
20/02/2005 12:56:38 AM> Registry modification detected
20/02/2005 12:56:38 AM>
20/02/2005 12:56:38 AM> Root:HKEY_LOCAL_MACHINE
20/02/2005 12:56:38 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 12:56:38 AM> Value:mswspl
20/02/2005 12:56:38 AM> Data:SOUNDMAN.EXE
20/02/2005 12:56:38 AM> New Data:
20/02/2005 12:56:38 AM>
20/02/2005 12:56:46 AM> Registry modification detected
20/02/2005 12:56:46 AM>
20/02/2005 12:56:46 AM> Root:HKEY_LOCAL_MACHINE
20/02/2005 12:56:46 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 12:56:46 AM> Value:DAEMON Tools-1033
20/02/2005 12:56:46 AM> Data:"C:\Program Files\D-Tools\daemon.exe" -lang 1033
20/02/2005 12:56:46 AM> New Data:
20/02/2005 12:56:46 AM>
20/02/2005 12:56:50 AM> Registry modification detected
20/02/2005 12:56:50 AM>
20/02/2005 12:56:50 AM> Root:HKEY_LOCAL_MACHINE
20/02/2005 12:56:50 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 12:56:50 AM> Value:LOG ROAM HELP WAY
20/02/2005 12:56:50 AM> Data:C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
20/02/2005 12:56:50 AM> New Data:
20/02/2005 12:56:50 AM>
20/02/2005 12:56:52 AM> Registry modification detected
20/02/2005 12:56:52 AM>
20/02/2005 12:56:52 AM> Root:HKEY_LOCAL_MACHINE
20/02/2005 12:56:52 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 12:56:52 AM> Value:gHEayU8P
20/02/2005 12:56:52 AM> Data:C:\WINDOWS\pymdsb.exe
20/02/2005 12:56:52 AM> New Data:
20/02/2005 12:56:52 AM>
20/02/2005 1:00:57 AM> Registry modification detected
20/02/2005 1:00:57 AM>
20/02/2005 1:00:57 AM> Root:HKEY_CURRENT_USER
20/02/2005 1:00:57 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 1:00:57 AM> Value:Four Bind
20/02/2005 1:00:57 AM> Data:
20/02/2005 1:00:57 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
20/02/2005 1:00:57 AM>
20/02/2005 1:01:06 AM> Registry modification detected
20/02/2005 1:01:06 AM>
20/02/2005 1:01:06 AM> Root:HKEY_LOCAL_MACHINE
20/02/2005 1:01:06 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 1:01:06 AM> Value:LOG ROAM HELP WAY
20/02/2005 1:01:06 AM> Data:C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
20/02/2005 1:01:06 AM> New Data:C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\cdrom camp.exe
20/02/2005 1:01:06 AM>
20/02/2005 1:01:13 AM> Registry modification detected
20/02/2005 1:01:13 AM>
20/02/2005 1:01:13 AM> Root:HKEY_CURRENT_USER
20/02/2005 1:01:13 AM> Key:Software\Microsoft\Internet Explorer\Main
20/02/2005 1:01:13 AM> Value:Search Page
20/02/2005 1:01:13 AM> Data:http://www.google.com
20/02/2005 1:01:13 AM> New Data:
20/02/2005 1:01:13 AM>
20/02/2005 1:01:28 AM> Registry modification detected
20/02/2005 1:01:28 AM>
20/02/2005 1:01:28 AM> Root:HKEY_CURRENT_USER
20/02/2005 1:01:28 AM> Key:Software\Microsoft\Internet Explorer\Search
20/02/2005 1:01:28 AM> Value:SearchAssistant
20/02/2005 1:01:28 AM> Data:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
20/02/2005 1:01:28 AM> New Data:
20/02/2005 1:01:28 AM>
20/02/2005 1:01:36 AM> Registry modification detected
20/02/2005 1:01:36 AM>
20/02/2005 1:01:36 AM> Root:HKEY_CURRENT_USER
20/02/2005 1:01:36 AM> Key:Software\Microsoft\Internet Explorer\Main
20/02/2005 1:01:36 AM> Value:Search Page
20/02/2005 1:01:36 AM> Data:http://www.google.com
20/02/2005 1:01:36 AM> New Data:
20/02/2005 1:01:36 AM>
20/02/2005 1:01:40 AM> Registry modification detected
20/02/2005 1:01:40 AM>
20/02/2005 1:01:40 AM> Root:HKEY_LOCAL_MACHINE
20/02/2005 1:01:40 AM> Key:Software\Microsoft\Internet Explorer\Main
20/02/2005 1:01:40 AM> Value:Search Page
20/02/2005 1:01:40 AM> Data:http://www.google.com
20/02/2005 1:01:40 AM> New Data:
20/02/2005 1:01:40 AM>
20/02/2005 1:01:59 AM> Registry modification detected
20/02/2005 1:01:59 AM>
20/02/2005 1:01:59 AM> Root:HKEY_CURRENT_USER
20/02/2005 1:01:59 AM> Key:Software\Microsoft\Internet Explorer\Main
20/02/2005 1:01:59 AM> Value:Start Page
20/02/2005 1:01:59 AM> Data:http://www.google.com
20/02/2005 1:01:59 AM> New Data:http://www.pxkgrnpeuxqwjamylovnb.com/eQ7JEMmzpXojeBGgavWbtTQL7JaLjVf7AQ4vIlmOKzY.html
20/02/2005 1:01:59 AM>
20/02/2005 1:02:04 AM> ===============================================
20/02/2005 1:02:04 AM> Starting New Session..
20/02/2005 1:02:04 AM> ===============================================
20/02/2005 1:02:04 AM>
20/02/2005 1:02:04 AM> DefinitionFile SE1R28 16.02.2005 loaded successfully.
20/02/2005 1:02:04 AM> File Size :1300934
20/02/2005 1:02:04 AM> Build:SE1R28 16.02.2005
20/02/2005 1:02:04 AM> Total Signatures :34787
20/02/2005 1:02:04 AM> Target Families :632
20/02/2005 1:02:04 AM> Target Categories :6
20/02/2005 1:02:04 AM> Blocked Sites :3229
20/02/2005 1:02:04 AM>
20/02/2005 1:24:49 AM> Registry modification detected
20/02/2005 1:24:49 AM>
20/02/2005 1:24:49 AM> Root:HKEY_CURRENT_USER
20/02/2005 1:24:49 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 1:24:49 AM> Value:Four Bind
20/02/2005 1:24:49 AM> Data:
20/02/2005 1:24:49 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
20/02/2005 1:24:49 AM>
20/02/2005 1:27:24 AM> Registry modification detected
20/02/2005 1:27:24 AM>
20/02/2005 1:27:24 AM> Root:HKEY_CURRENT_USER
20/02/2005 1:27:24 AM> Key:Software\Microsoft\Internet Explorer\SearchUrl
20/02/2005 1:27:24 AM> Value:provider
20/02/2005 1:27:24 AM> Data:
20/02/2005 1:27:24 AM> New Data:
20/02/2005 1:27:24 AM>
thanks for helping
karen
nightowl
02-19-2005, 11:45 AM
That ADaware scan is long. All it does is give me a headache :eww .Maybe ECA can find something on it.
hi jim, im not having much luck, did the search as described, no files to be found, then went to regedit, searched for spyblocs and pymdsb.exe. files came up under search assistant, dir acmru, dir 5603 and 5604. so i deleted dir acmru. I also deleted C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM, but after rebooting this has returned and will not let me delete 2 files in the directory.these are cdrom camp exe and coolfiledart. The file ITCH SOFT.exe isnt there.
here is my log
Logfile of HijackThis v1.99.0
Scan saved at 1:18:11 AM, on 20/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Karen.REEDMAN\Desktop\spyware\hijackthis\ HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wkarbpajzergrabfzd.net/e...eNFaXfIIBh.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {9A5BFAD1-35B6-036F-E29C-66E52CD96E04} - C:\DOCUME~1\KAREN~1.REE\APPLIC~1\STOREM~1\rect barb.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mswspl] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Image Transfer.lnk = ?
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/C...2/OCI/setup.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{424AC613-C17A-4E24-BAD2-A87DBE7EC3A6}: NameServer = 210.80.58.34 210.80.58.42
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
nightowl
02-19-2005, 12:00 PM
Ok I'm gonna delete a few more things that may be causing this
Reboot To Safe Mode (tap F8 on Startup)
Place a check next to each of these and click Fix Checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wkarbpajzergrabfzd.net/e...eNFaXfIIBh.html
O2 - BHO: (no name) - {9A5BFAD1-35B6-036F-E29C-66E52CD96E04} - C:\DOCUME~1\KAREN~1.REE\APPLIC~1\STOREM~1\rect barb.exe
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
O4 - Global Startup: Image Transfer.lnk = ?
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/C...2/OCI/setup.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{424AC613-C17A-4E24-BAD2-A87DBE7EC3A6}: NameServer = 210.80.58.34 210.80.58.42
Still In Safe Mode Delete all Temporary Internet Files, Cookies, Run AdAware and Spybot,delete what they find , Empty recycle bin.
Then Reboot and post a new log..........Jim :eww
I see all this and say...WOW, google is sending you LOTS of crap...AND there all reg changes... Keep reading as I go thru..
19/02/2005 12:11:46 AM> Registry modification detected
19/02/2005 12:11:46 AM>
19/02/2005 12:11:46 AM> Root:HKEY_CURRENT_USER
19/02/2005 12:11:46 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:11:46 AM> Value:Four Bind
19/02/2005 12:11:46 AM> Data:
19/02/2005 12:11:46 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 12:11:46 AM>
19/02/2005 12:33:30 AM> Registry modification detected
19/02/2005 12:33:30 AM>
19/02/2005 12:33:30 AM> Root:HKEY_CURRENT_USER
19/02/2005 12:33:30 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:33:30 AM> Value:Four Bind
19/02/2005 12:33:30 AM> Data:
19/02/2005 12:33:30 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 12:33:30 AM>
19/02/2005 12:55:23 AM> Registry modification detected
19/02/2005 12:55:23 AM>
19/02/2005 12:55:23 AM> Root:HKEY_CURRENT_USER
19/02/2005 12:55:23 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:55:23 AM> Value:Four Bind
19/02/2005 12:55:23 AM> Data:
19/02/2005 12:55:23 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 12:55:23 AM>
19/02/2005 1:17:16 AM> Registry modification detected
19/02/2005 1:17:16 AM>
19/02/2005 1:17:16 AM> Root:HKEY_CURRENT_USER
19/02/2005 1:17:16 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 1:17:16 AM> Value:Four Bind
19/02/2005 1:17:16 AM> Data:
19/02/2005 1:17:16 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 1:17:16 AM>
19/02/2005 1:39:09 AM> Registry modification detected
19/02/2005 1:39:09 AM>
19/02/2005 1:39:09 AM> Root:HKEY_CURRENT_USER
19/02/2005 1:39:09 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 1:39:09 AM> Value:Four Bind
19/02/2005 1:39:09 AM> Data:
19/02/2005 1:39:09 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 1:39:09 AM>
19/02/2005 2:01:01 AM> Registry modification detected
19/02/2005 2:01:01 AM>
19/02/2005 2:01:01 AM> Root:HKEY_CURRENT_USER
19/02/2005 2:01:01 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 2:01:01 AM> Value:Four Bind
19/02/2005 2:01:01 AM> Data:
19/02/2005 2:01:01 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 2:01:01 AM>
19/02/2005 2:22:54 AM> Registry modification detected
19/02/2005 2:22:54 AM>
19/02/2005 2:22:54 AM> Root:HKEY_CURRENT_USER
19/02/2005 2:22:54 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 2:22:54 AM> Value:Four Bind
19/02/2005 2:22:54 AM> Data:
19/02/2005 2:22:54 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 2:22:54 AM>
19/02/2005 2:44:47 AM> Registry modification detected
19/02/2005 2:44:47 AM>
19/02/2005 2:44:47 AM> Root:HKEY_CURRENT_USER
19/02/2005 2:44:47 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 2:44:47 AM> Value:Four Bind
19/02/2005 2:44:47 AM> Data:
19/02/2005 2:44:47 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 2:44:47 AM>
19/02/2005 3:06:39 AM> Registry modification detected
19/02/2005 3:06:39 AM>
19/02/2005 3:06:39 AM> Root:HKEY_CURRENT_USER
19/02/2005 3:06:39 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 3:06:39 AM> Value:Four Bind
19/02/2005 3:06:39 AM> Data:
19/02/2005 3:06:39 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 3:06:39 AM>
19/02/2005 3:28:32 AM> Registry modification detected
19/02/2005 3:28:32 AM>
19/02/2005 3:28:32 AM> Root:HKEY_CURRENT_USER
19/02/2005 3:28:32 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 3:28:32 AM> Value:Four Bind
19/02/2005 3:28:32 AM> Data:
19/02/2005 3:28:32 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 3:28:32 AM>
19/02/2005 3:50:26 AM> Registry modification detected
19/02/2005 3:50:26 AM>
19/02/2005 3:50:26 AM> Root:HKEY_CURRENT_USER
19/02/2005 3:50:26 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 3:50:26 AM> Value:Four Bind
19/02/2005 3:50:26 AM> Data:
19/02/2005 3:50:26 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 3:50:26 AM>
19/02/2005 4:12:18 AM> Registry modification detected
19/02/2005 4:12:18 AM>
19/02/2005 4:12:18 AM> Root:HKEY_CURRENT_USER
19/02/2005 4:12:18 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 4:12:18 AM> Value:Four Bind
19/02/2005 4:12:18 AM> Data:
19/02/2005 4:12:18 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 4:12:18 AM>
19/02/2005 4:34:11 AM> Registry modification detected
19/02/2005 4:34:11 AM>
19/02/2005 4:34:11 AM> Root:HKEY_CURRENT_USER
19/02/2005 4:34:11 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 4:34:11 AM> Value:Four Bind
19/02/2005 4:34:11 AM> Data:
19/02/2005 4:34:11 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 4:34:11 AM>
19/02/2005 4:56:04 AM> Registry modification detected
19/02/2005 4:56:04 AM>
19/02/2005 4:56:04 AM> Root:HKEY_CURRENT_USER
19/02/2005 4:56:04 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 4:56:04 AM> Value:Four Bind
19/02/2005 4:56:04 AM> Data:
19/02/2005 4:56:04 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 4:56:04 AM>
19/02/2005 5:18:08 AM> Registry modification detected
19/02/2005 5:18:08 AM>
19/02/2005 5:18:08 AM> Root:HKEY_CURRENT_USER
19/02/2005 5:18:08 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 5:18:08 AM> Value:Four Bind
19/02/2005 5:18:08 AM> Data:
19/02/2005 5:18:08 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 5:18:08 AM>
19/02/2005 5:40:36 AM> Registry modification detected
19/02/2005 5:40:36 AM>
19/02/2005 5:40:36 AM> Root:HKEY_CURRENT_USER
19/02/2005 5:40:36 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 5:40:36 AM> Value:Four Bind
19/02/2005 5:40:36 AM> Data:
19/02/2005 5:40:36 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 5:40:36 AM>
19/02/2005 6:02:53 AM> Registry modification detected
19/02/2005 6:02:53 AM>
19/02/2005 6:02:53 AM> Root:HKEY_CURRENT_USER
19/02/2005 6:02:53 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 6:02:53 AM> Value:Four Bind
19/02/2005 6:02:53 AM> Data:
19/02/2005 6:02:53 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 6:02:53 AM>
19/02/2005 6:24:57 AM> Registry modification detected
19/02/2005 6:24:57 AM>
19/02/2005 6:24:57 AM> Root:HKEY_CURRENT_USER
19/02/2005 6:24:57 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 6:24:57 AM> Value:Four Bind
19/02/2005 6:24:57 AM> Data:
19/02/2005 6:24:57 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 6:24:57 AM>
19/02/2005 6:46:58 AM> Registry modification detected
19/02/2005 6:46:58 AM>
19/02/2005 6:46:58 AM> Root:HKEY_CURRENT_USER
19/02/2005 6:46:58 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 6:46:58 AM> Value:Four Bind
19/02/2005 6:46:58 AM> Data:
19/02/2005 6:46:58 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 6:46:58 AM>
19/02/2005 7:09:03 AM> Registry modification detected
19/02/2005 7:09:03 AM>
19/02/2005 7:09:03 AM> Root:HKEY_CURRENT_USER
19/02/2005 7:09:03 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 7:09:03 AM> Value:Four Bind
19/02/2005 7:09:03 AM> Data:
19/02/2005 7:09:03 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 7:09:03 AM>
19/02/2005 7:31:09 AM> Registry modification detected
19/02/2005 7:31:09 AM>
19/02/2005 7:31:09 AM> Root:HKEY_CURRENT_USER
19/02/2005 7:31:09 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 7:31:09 AM> Value:Four Bind
19/02/2005 7:31:09 AM> Data:
19/02/2005 7:31:09 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 7:31:09 AM>
19/02/2005 7:53:09 AM> Registry modification detected
19/02/2005 7:53:09 AM>
19/02/2005 7:53:09 AM> Root:HKEY_CURRENT_USER
19/02/2005 7:53:09 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 7:53:09 AM> Value:Four Bind
19/02/2005 7:53:09 AM> Data:
19/02/2005 7:53:09 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 7:53:09 AM>
19/02/2005 8:15:08 AM> Registry modification detected
19/02/2005 8:15:08 AM>
19/02/2005 8:15:08 AM> Root:HKEY_CURRENT_USER
19/02/2005 8:15:08 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 8:15:08 AM> Value:Four Bind
19/02/2005 8:15:08 AM> Data:
19/02/2005 8:15:08 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 8:15:08 AM>
19/02/2005 8:37:08 AM> Registry modification detected
19/02/2005 8:37:08 AM>
19/02/2005 8:37:08 AM> Root:HKEY_CURRENT_USER
19/02/2005 8:37:08 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 8:37:08 AM> Value:Four Bind
19/02/2005 8:37:08 AM> Data:
19/02/2005 8:37:08 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 8:37:08 AM>
19/02/2005 8:59:13 AM> Registry modification detected
19/02/2005 8:59:13 AM>
19/02/2005 8:59:13 AM> Root:HKEY_CURRENT_USER
19/02/2005 8:59:13 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 8:59:13 AM> Value:Four Bind
19/02/2005 8:59:13 AM> Data:
19/02/2005 8:59:13 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 8:59:13 AM>
19/02/2005 9:21:12 AM> Registry modification detected
19/02/2005 9:21:12 AM>
19/02/2005 9:21:12 AM> Root:HKEY_CURRENT_USER
19/02/2005 9:21:12 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 9:21:12 AM> Value:Four Bind
19/02/2005 9:21:12 AM> Data:
19/02/2005 9:21:12 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 9:21:12 AM>
19/02/2005 9:43:18 AM> Registry modification detected
19/02/2005 9:43:18 AM>
19/02/2005 9:43:18 AM> Root:HKEY_CURRENT_USER
19/02/2005 9:43:18 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 9:43:18 AM> Value:Four Bind
19/02/2005 9:43:18 AM> Data:
19/02/2005 9:43:18 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 9:43:18 AM>
19/02/2005 10:05:31 AM> Registry modification detected
19/02/2005 10:05:31 AM>
19/02/2005 10:05:31 AM> Root:HKEY_CURRENT_USER
19/02/2005 10:05:31 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 10:05:31 AM> Value:Four Bind
19/02/2005 10:05:31 AM> Data:
19/02/2005 10:05:31 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 10:05:31 AM>
19/02/2005 10:11:28 AM> Registry modification detected
19/02/2005 10:11:28 AM>
19/02/2005 10:11:28 AM> Root:HKEY_CURRENT_USER
19/02/2005 10:11:28 AM> Key:Software\Microsoft\Internet Explorer\Main
19/02/2005 10:11:28 AM> Value:Start Page
19/02/2005 10:11:28 AM> Data:http://talfyilmerzbgrzluexn.com/eQ7...AQ4vIlmOKzY.php
19/02/2005 10:11:28 AM> New Data:http://www.google.com
19/02/2005 10:11:28 AM>
19/02/2005 10:11:40 AM> Registry modification detected
19/02/2005 10:11:40 AM>
19/02/2005 10:11:40 AM> Root:HKEY_CURRENT_USER
19/02/2005 10:11:40 AM> Key:Software\Microsoft\Internet Explorer\Main
19/02/2005 10:11:40 AM> Value:Start Page
19/02/2005 10:11:40 AM> Data:http://talfyilmerzbgrzluexn.com/eQ7...AQ4vIlmOKzY.php
19/02/2005 10:11:40 AM> New Data:http://www.google.com
19/02/2005 10:11:40 AM>
19/02/2005 10:11:43 AM> Registry modification detected
19/02/2005 10:11:43 AM>
19/02/2005 10:11:43 AM> Root:HKEY_CURRENT_USER
19/02/2005 10:11:43 AM> Key:Software\Microsoft\Internet Explorer\Main
19/02/2005 10:11:43 AM> Value:Start Page
19/02/2005 10:11:43 AM> Data:http://talfyilmerzbgrzluexn.com/eQ7...AQ4vIlmOKzY.php
19/02/2005 10:11:43 AM> New Data:http://www.google.com
19/02/2005 10:11:43 AM>
19/02/2005 10:31:45 AM> Registry modification detected
19/02/2005 10:31:45 AM>
19/02/2005 10:31:45 AM> Root:HKEY_CURRENT_USER
19/02/2005 10:31:45 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 10:31:45 AM> Value:Four Bind
19/02/2005 10:31:45 AM> Data:
19/02/2005 10:31:45 AM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 10:31:45 AM>
NIGHTOWL...Look...see it??
19/02/2005 12:43:31 PM> Registry modification detected
19/02/2005 12:43:31 PM>
19/02/2005 12:43:31 PM> Root:HKEY_LOCAL_MACHINE
19/02/2005 12:43:31 PM> Key:Software\Microsoft\Internet Explorer\Search
19/02/2005 12:43:31 PM> Value:CustomizeSearch
19/02/2005 12:43:31 PM> Data:http://minisearch.startnow.com/
19/02/2005 12:43:31 PM> New Data:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
19/02/2005 12:43:31 PM>
THIs is the stuff reloading...
spybloc is still loading
19/02/2005 12:43:33 PM> Root:HKEY_LOCAL_MACHINE
19/02/2005 12:43:33 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:43:33 PM> Value:SpyBlocs
19/02/2005 12:43:33 PM> Data:C:\Program Files\SpyBlocs\SpyBlocs.exe
19/02/2005 12:43:33 PM> New Data:
19/02/2005 12:43:33 PM>
19/02/2005 12:43:34 PM> Registry modification detected
19/02/2005 12:43:34 PM>
19/02/2005 12:43:34 PM> Root:HKEY_LOCAL_MACHINE
19/02/2005 12:43:34 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:43:34 PM> Value:LOG ROAM HELP WAY
19/02/2005 12:43:34 PM> Data:C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
19/02/2005 12:43:34 PM> New Data:
19/02/2005 12:43:34 PM>
19/02/2005 12:43:34 PM> Registry modification detected
19/02/2005 12:43:34 PM>
19/02/2005 12:43:34 PM> Root:HKEY_LOCAL_MACHINE
19/02/2005 12:43:34 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 12:43:34 PM> Value:gHEayU8P
19/02/2005 12:43:34 PM> Data:C:\WINDOWS\pymdsb.exe
19/02/2005 12:43:34 PM> New Data:
19/02/2005 12:43:34 PM>
19/02/2005 1:26:02 PM> Registry modification detected
19/02/2005 1:26:02 PM>
19/02/2005 1:26:02 PM> Root:HKEY_CURRENT_USER
19/02/2005 1:26:02 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 1:26:02 PM> Value:Four Bind
19/02/2005 1:26:02 PM> Data:
19/02/2005 1:26:02 PM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 1:26:02 PM>
19/02/2005 3:52:08 PM> Registry modification detected
19/02/2005 3:52:08 PM>
19/02/2005 3:52:08 PM> Root:HKEY_CURRENT_USER
19/02/2005 3:52:08 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
19/02/2005 3:52:08 PM> Value:Four Bind
19/02/2005 3:52:08 PM> Data:
19/02/2005 3:52:08 PM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
19/02/2005 3:52:08 PM>
and this is ALL repeated several times...
Did you turn on TEATIMER??? in spybot advanced, tools RESIDENT???
C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
Kill Google...
Search for this file, and look in the DIR, and see whats int here..
19/02/2005 12:43:31 PM> New Data:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
http://sarc.com/avcenter/venc/data/pf/adware.huntbar.b.html
should be killed with Spywareblaster....Its a DirectX loader..
joyacacia
02-19-2005, 10:34 PM
thanks you guys, things have certainly improved, i didnt loose my browser page on start up, here is my post
Logfile of HijackThis v1.99.0
Scan saved at 5:28:09 PM, on 20/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Karen.REEDMAN\Desktop\spyware\hijackthis\ HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mswspl] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
some of these things keep reloading, i have done virus check in safe mode, everthing clear, ive put on spywareblaster
thanks again
karen
nightowl
02-19-2005, 11:06 PM
Still a few that are being a Pain In the A**!
O4 - HKLM\..\Run: [LOG ROAM HELP WAY] C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
O4 - HKLM\..\Run: [gHEayU8P] C:\WINDOWS\pymdsb.exe
Were you ever able to find this file?
C:\WINDOWS\pymdsb.exe
If you can find it we could rename it and hopefully Kill it.
I'll have to see if anyone else has this problem and do a little research.
Post another ADaware Log for ECA, see if he can see anything also........Jim :rolleyes:
nightowl
02-19-2005, 11:19 PM
C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
ITCH SOFT.exe
also would like to find this file. its an itch you cant scratch!
nightowl
02-19-2005, 11:44 PM
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
What is this, do you use this program ? Did it help you in the past. If not delete it.Looks like some kind of Anti Trojan program. Sometimes Spyware programs are Spyware.
joyacacia
02-20-2005, 12:10 AM
hi there,
I removed "C:\Program Files\a2\a2guard.exe" before the last post, it was surpose to remove malware, at the beginning of the post i did find C:\WINDOWS\pymdsb.exe and deleted the file, but it keeps reapearing in hijack. No longer can find the file on the hard drive.
In safe mode i can remove
C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe but it doesnt have the itch soft.exe file instead it has 2 files INFO OWNS.EXE and coolfiledart. When i reboot it reappears and i cannot remove it because it is in use. The EXE file is renamed. Also after the last reboot when i was connected to the net poker and casino icon was on my desktop.
Here is pm adaware post ECA
DUPEMA~1\
20/02/2005 11:07:40 AM> Category:Malware
20/02/2005 11:07:40 AM> Vendor:Lop
20/02/2005 11:07:40 AM> Comment:
20/02/2005 11:07:40 AM>
20/02/2005 11:16:38 AM> Registry modification detected
20/02/2005 11:16:38 AM>
20/02/2005 11:16:38 AM> Root:HKEY_LOCAL_MACHINE
20/02/2005 11:16:38 AM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 11:16:38 AM> Value:QuickTime Task
20/02/2005 11:16:38 AM> Data:"C:\Program Files\QuickTime\qttask.exe" -atboottime
20/02/2005 11:16:38 AM> New Data:
20/02/2005 11:16:38 AM>
20/02/2005 5:15:41 PM> Registry modification detected
20/02/2005 5:15:41 PM>
20/02/2005 5:15:41 PM> Root:HKEY_CURRENT_USER
20/02/2005 5:15:41 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 5:15:41 PM> Value:a-squared
20/02/2005 5:15:41 PM> Data:"C:\Program Files\a2\a2guard.exe"
20/02/2005 5:15:41 PM> New Data:
20/02/2005 5:15:41 PM>
20/02/2005 5:15:41 PM> Registry modification detected
20/02/2005 5:15:41 PM>
20/02/2005 5:15:41 PM> Root:HKEY_LOCAL_MACHINE
20/02/2005 5:15:41 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 5:15:41 PM> Value:mswspl
20/02/2005 5:15:41 PM> Data:SOUNDMAN.EXE
20/02/2005 5:15:41 PM> New Data:
20/02/2005 5:15:41 PM>
20/02/2005 5:15:41 PM> Registry modification detected
20/02/2005 5:15:41 PM>
20/02/2005 5:15:41 PM> Root:HKEY_LOCAL_MACHINE
20/02/2005 5:15:41 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 5:15:41 PM> Value:DAEMON Tools-1033
20/02/2005 5:15:41 PM> Data:"C:\Program Files\D-Tools\daemon.exe" -lang 1033
20/02/2005 5:15:41 PM> New Data:
20/02/2005 5:15:41 PM>
20/02/2005 5:15:41 PM> Registry modification detected
20/02/2005 5:15:41 PM>
20/02/2005 5:15:41 PM> Root:HKEY_LOCAL_MACHINE
20/02/2005 5:15:41 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 5:15:41 PM> Value:LOG ROAM HELP WAY
20/02/2005 5:15:41 PM> Data:C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
20/02/2005 5:15:41 PM> New Data:
20/02/2005 5:15:41 PM>
20/02/2005 5:15:41 PM> Registry modification detected
20/02/2005 5:15:41 PM>
20/02/2005 5:15:41 PM> Root:HKEY_LOCAL_MACHINE
20/02/2005 5:15:41 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 5:15:41 PM> Value:gHEayU8P
20/02/2005 5:15:41 PM> Data:C:\WINDOWS\pymdsb.exe
20/02/2005 5:15:41 PM> New Data:
20/02/2005 5:15:41 PM>
20/02/2005 6:00:01 PM> Harmful process identified(PID:156)
20/02/2005 6:00:01 PM> This object was found active in memory
20/02/2005 6:00:01 PM> Object:Curb grim coal.exe
20/02/2005 6:00:01 PM> Path:c:\docume~1\karen~1.ree\applic~1\dupema~1\
20/02/2005 6:00:01 PM> Category:Malware
20/02/2005 6:00:01 PM> Vendor:Lop
20/02/2005 6:00:01 PM> Comment:
20/02/2005 6:00:01 PM>
20/02/2005 6:00:29 PM> Registry modification detected
20/02/2005 6:00:29 PM>
20/02/2005 6:00:29 PM> Root:HKEY_CURRENT_USER
20/02/2005 6:00:29 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 6:00:29 PM> Value:Four Bind
20/02/2005 6:00:29 PM> Data:
20/02/2005 6:00:29 PM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
20/02/2005 6:00:29 PM>
20/02/2005 6:00:29 PM> Harmful process identified(PID:1040)
20/02/2005 6:00:29 PM> This object was found active in memory
20/02/2005 6:00:29 PM> Object:Curb grim coal.exe
20/02/2005 6:00:29 PM> Path:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\
20/02/2005 6:00:29 PM> Category:Malware
20/02/2005 6:00:29 PM> Vendor:Lop
20/02/2005 6:00:29 PM> Comment:
20/02/2005 6:00:29 PM>
20/02/2005 6:00:43 PM> Registry modification detected
20/02/2005 6:00:43 PM>
20/02/2005 6:00:43 PM> Root:HKEY_LOCAL_MACHINE
20/02/2005 6:00:43 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 6:00:43 PM> Value:LOG ROAM HELP WAY
20/02/2005 6:00:43 PM> Data:C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\ITCH SOFT.exe
20/02/2005 6:00:43 PM> New Data:C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM\INFO OWNS.exe
20/02/2005 6:00:43 PM>
20/02/2005 6:00:47 PM> Registry modification detected
20/02/2005 6:00:47 PM>
20/02/2005 6:00:47 PM> Root:HKEY_CURRENT_USER
20/02/2005 6:00:47 PM> Key:Software\Microsoft\Internet Explorer\Main
20/02/2005 6:00:47 PM> Value:Start Page
20/02/2005 6:00:47 PM> Data:http://www.google.com
20/02/2005 6:00:47 PM> New Data:http://www.bitoqnjfyyqohfjug.com/eQ7JEMmzpXojeBGgavWbtVLr8u/Cr7jJAQ4vIlmOKzY.asp
20/02/2005 6:00:47 PM>
20/02/2005 6:00:47 PM> Registry modification detected
20/02/2005 6:00:47 PM>
20/02/2005 6:00:47 PM> Root:HKEY_CURRENT_USER
20/02/2005 6:00:47 PM> Key:Software\Microsoft\Internet Explorer\Search
20/02/2005 6:00:47 PM> Value:SearchAssistant
20/02/2005 6:00:47 PM> Data:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
20/02/2005 6:00:47 PM> New Data:
20/02/2005 6:00:47 PM>
20/02/2005 6:00:56 PM> Harmful process identified(PID:3280)
20/02/2005 6:00:56 PM> This object was found active in memory
20/02/2005 6:00:56 PM> Object:Curb grim coal.exe
20/02/2005 6:00:56 PM> Path:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\
20/02/2005 6:00:56 PM> Category:Malware
20/02/2005 6:00:56 PM> Vendor:Lop
20/02/2005 6:00:56 PM> Comment:
20/02/2005 6:00:56 PM>
20/02/2005 6:48:19 PM> Registry modification detected
20/02/2005 6:48:19 PM>
20/02/2005 6:48:19 PM> Root:HKEY_CURRENT_USER
20/02/2005 6:48:19 PM> Key:Software\Microsoft\Windows\CurrentVersion\Run
20/02/2005 6:48:19 PM> Value:Four Bind
20/02/2005 6:48:19 PM> Data:
20/02/2005 6:48:19 PM> New Data:C:\DOCUME~1\KAREN~1.REE\APPLIC~1\DUPEMA~1\def aultcampknob.exe
20/02/2005 6:48:19 PM>
20/02/2005 7:00:00 PM> Harmful process identified(PID:3636)
20/02/2005 7:00:00 PM> This object was found active in memory
20/02/2005 7:00:00 PM> Object:Curb grim coal.exe
20/02/2005 7:00:00 PM> Path:c:\docume~1\karen~1.ree\applic~1\dupema~1\
20/02/2005 7:00:00 PM> Category:Malware
20/02/2005 7:00:00 PM> Vendor:Lop
20/02/2005 7:00:00 PM> Comment:
20/02/2005 7:00:00 PM>
Does this mean im reinfected with LOP
This certainly is fustrating
karen
CASHFASTLOGROAM\ITCH SOFT
Kill the whole directory...
ALSO adaware has a KILL on BOOT...
Did you setup Spybot, teatimer and other prog...
Once you erase them, TEATIMER will tell you what prog is TRYING to reload them..
DID you search this one?? aultcampknob.exe
C:\Program Files\a2\a2guard.exe"
Looks like A2, didnt go away either..
O4 - Startup: PowerReg Scheduler.exe
Kill this..
And turn and DELETE Spyware guard...Aint working is it..
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
FIND THIS...KILL IT...
srchcust.htm
Esp, this part....Does look as if its gone...but look for it..
http://204.2.105.140/lop.htm
THIS is LOP...malware..
http://www.winpatrol.com/
TRY this for me...If you would.. Its supposed to WATCH your startup..
nightowl
02-20-2005, 11:01 AM
http://www.winpatrol.com/
Not a bad program, I have it on mine, I believe it has a delete on reboot function.
C:\WINDOWS\pymdsb.exe
You found this file, Rename it goaway.exe then dump it.
Empty Recycle Bin, Reboot and Post a new Log.
Also follow ECAs instructions........Jim
joyacacia
02-20-2005, 06:28 PM
Hi there, im starting to feel confident :) I rebooted in safe mode, using regedit I deleted SOFT ITCH.EXE than i could delete the directory C:\Documents and Settings\All Users\Application Data\CASHFASTLOGROAM from the hard drive. Also deleted everything associated with aultcampknob.exe Found a dir it was in c:\Documents and settings\Karen Reedman\Application Data\Dupe Mags real. These files were related to LOP, (as the names were familiar who hijack my browser) I could only delete the dir after i ran adware.
I searched and removed http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
I setup and installed spybot teatimer i didnt have it running before.
I also have win/patrol working and i think we got rid of
C:\WINDOWS\pymdsb.exe
Logfile of HijackThis v1.99.0
Scan saved at 1:23:39 PM, on 21/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WINPAT~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Karen.REEDMAN\Desktop\spyware\hijackthis\ HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T 1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~3\Ad-Watch.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Uninstall WinPatrol.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O17 - HKLM\System\CCS\Services\Tcpip\..\{424AC613-C17A-4E24-BAD2-A87DBE7EC3A6}: NameServer = 210.80.58.34 210.80.58.42
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
thank you! thank you! thank you! for your perserverence as im not that technical minded when it comes to computers
karen
C:\WINDOWS\system32\svchost.exe
DONT touch this... This is a TellTail... count the ones on the top section.
99.9% of the time there is a MAX of 3...
What this is, is a program used in the BACKground, to access the web..
Another program started it, to USE it..
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
Suspicious...windows should try to reload this IF ITS your sound driver...I dont think so.
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
2 of these... I cant see the WHOLE directory for BOTH.. 1, should be removed..
C:\PROGRA~1\BILLPS~1\WINPAT~1\WINPAT~1.EXE
What is this, cant read it..
If this dont help, I have a program that shows process' and what started them..
nightowl
02-20-2005, 09:19 PM
Fix these
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O17 - HKLM\System\CCS\Services\Tcpip\..\{424AC613-C17A-4E24-BAD2-A87DBE7EC3A6}: NameServer = 210.80.58.34 210.80.58.42
Its looking better now.Got rid of those bad ones........Jim
joyacacia
02-20-2005, 09:38 PM
Hi ECA,
in the windows task manager i have 7 svchost.exe running in the processes, not sure what you meant by ""count the ones on the top section"".
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE- winPatrol report
SOUNDMAN.EXE
Realtek Sound Manager
Version: 5.0.21
Copyright (c) 2001-2003 Realtek Semiconductor Corp.
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
Path: SOUNDMAN.EXE
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
winpatrol report-
# Symantec NetDriver Monitor
SNDMon.exe
Symantec Security Drivers Install Monitor
Version: 5.4
Copyright 2002, 2003, 2004 Symantec Corporation
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
Path: C:\Program Files\SymNetDrv\SNDMon.exe
Do you want me to still remove them ? Will I use winPatrol.
C:\PROGRA~1\BILLPS~1\WINPAT~1\WINPAT~1.EXE
i think this has to do with winPatrol. In the regedit search the data said it was winPatrol system monitor
I have 48 processes running in task manager, this one seems sus, E_S413T1.exe user Karen
yep, SVCHOST...
DONT touch it..
It does tell us something..
E_s413...Looks like your printer driver...
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
This is an interesting program...
If you RIGHT CLICK the running program it gives you LOTS of info...including WHAT started it(first tab on top)..
On SVCHOST,,, Find the START programs, DONT do anything...Just give us the NAMES..
joyacacia
02-21-2005, 03:22 AM
Hi ECA, im a bit confused, am i looking for the process under each SVCHOST is this the start program? If so im on the right track.
I carnt get rid of R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = keeps loading up with ad- watch monitoring after rebooting.
thanks karen
The program, when you RIGHT click on the listed process,
has a PROPERTIES listing,
TAB, image, lists HOW its started, and what its running.
Under environment, a listing called COMSPEC, lists how it was started.
samko
02-21-2005, 11:14 AM
how do I get rid of http://letgohome.com/hp.htm?id=9
Logfile of HijackThis v1.99.0
Scan saved at 20:03:56, on 21.2.2005
Platform: Windows XP SP1, v.1081 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1081)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\DllHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\samir gondzetovic\Desktop\gluposti\hijackthis\HijackThis .exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: winlogin.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A717493-C470-426E-A219-4C1DAF727BB0}: NameServer = 195.222.32.10 195.222.32.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A717493-C470-426E-A219-4C1DAF727BB0}: NameServer = 195.222.32.10 195.222.32.20
O20 - AppInit_DLLs: 9ewfd3eyti387bh.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll
nightowl
02-21-2005, 12:49 PM
You need to kill this one first. Its hard to kill and its bad. If the string of dlls gets too long it will shut your computer down.
Some people have had success using a program called trend Micro. Run this program, Delete or quarantine what it finds, Empty Trash Bin Reboot and post a new log. Here is the link.........Jim
http://www.trendmicro.com/download/trial/trial-pcc.asp
O20 - AppInit_DLLs: 9ewfd3eyti387bh.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll
joyacacia
02-21-2005, 02:01 PM
Thanks ECA i was right off the track, here is the list
path C:\WINDOWS\System32\svchost.exe
Command line C:\WINDOWS\system32\svchost -k DcomLaunch
Dir C:\WINDOWS\System32\svchost.exe
parent services.exe(1020)
user NT AUTHORITY\SYSTEM
ComSpec C:\WINDOWS\system32\cmd.exe
Command line
C:\WINDOWS\system32\svchost -k rpcss
user NT AUTHORITY\NETWORK SERVICE
ComSpec C:\WINDOWS\system32\cmd.exe
Command line
C:\WINDOWS\System32\svchost.exe -k netsvcs
user NT AUTHORITY\SYSTEM
ComSpec C:\WINDOWS\system32\cmd.exe
Command line
C:\WINDOWS\System32\svchost.exe -k NetworkService
user NT AUTHORITY\NETWORK SERVICE
ComSpec C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
user NT AUTHORITY\LOCAL SERVICE
ComSpec C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
user NT AUTHORITY\SYSTEM
ComSpec C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
user NT AUTHORITY\SYSTEM
ComSpec C:\WINDOWS\system32\cmd.exe
see how this goes
karen
OK,
1. is this a networked computer.
2. do you have multiple signons, for other family members..
3. do you have SUTO UPDATE on?? TURN IT OFF...
Did you PAY for emergency recovery services??
Was this a BUSINESS machine at one time??
On Windows XP systems, Win32 services run in the following processes:
* lsass.exe: Netlogon, NtLmSsp, PolicyAgent, ProtectedStorage, SamSs
* services.exe: Eventlog, PlugPlay
* svchost.exe (LocalService instance, running as LocalService): Alerter, WebClient, LmHosts, RemoteRegistry, upnphost, SSDPSRV
* svchost.exe (NetworkService instance, running as NetworkService): DnsCache
* svchost.exe (netsvcs instance): 6to4, AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, DHCP, ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, Schedule, Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks, W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, TermService, wuauserv, BITS, ShellHWDetection, helpsvc, uploadmgr
* svchost.exe (rpcss instance): rpcss
* svchost.exe (termsvcs instance): TermService
* svchost.exe (imgsvc instance); StiSvc
http://www.hsc.fr/ressources/articles/win_net_srv/ch04s11.html
HOW are you connected to the net, and other machines...
Seems as if the configuration, is set VERY FUNNY..
joyacacia
02-22-2005, 04:01 AM
I had a dial up connection
than a netcomm NB1300 plus4 for net and xbox live, on a Erthernet connection. This broke and Im still waiting to get it fixed under warrenty.. So i than added a speedtouch 500 series for net and xbox live. I couldnt use the ethernet port maybe because it was still looking for the netcomm modem. So i plugged it into a USB port.
When i go into network connections i have 5 connections
1394 connection, connected , firewall Net Adapter
local area connection, network cable unplugged, Intel(R) PRO/100 VE Network Connection. this has a red cross
oze, disconnected, firewalled WAN minport, PPPOE with a tick on it
broadband connection ,connected, firewalled WAN minport, PPPOE
local area connection 4, connected, fierwalled Alcatel speedtouch USB
karen
joyacacia
02-22-2005, 04:18 AM
ECA, i just clicked on the properties the 1394 Net Adapter is running at 400.0Mbps,
Broadband connection ,connected, firewalled WAN minport, PPPOE
local area connection 4, connected, firewalled Alcatel speedtouch USB
both of these are connected at 512.0Kbps
is there a problem here ?
Joy
WELL that explains all the EXTRA..
suggest you remove those not needed, reload IF/when you need..
--------------------------------------------------
Samco
On that 9ewfd3eyti387bh.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll
May have to go in MANUALLY..
FULL search, all files fiolders, system file(have to go into options...
*.DLL.DLL.*
DELEETE it.
May come back renamed...But smaller.
DOES Process program see it??
If it DOES, Look at it find the loader for us.
See, we have a problem...WE aint had any of this STUFF.. I got protected BEFORE it started out bad.
And using a few of these programs, dont help me, I cant find anything WRONG to evaluate.
So, we can have you EVELUATe the programs.
nightowl
02-22-2005, 12:59 PM
That was for Samco right? I need to start a new thread for him. Makes it less confusing........Jim
Joy..
Has 7 SVCHOSt connections, NOW I know why..
SORRY, I will corrct..
vBulletin® v3.8.1, Copyright ©2000-2009, Jelsoft Enterprises Ltd.