Hi!!
Thank you for posting the HJT log!!
Please follow the instructions below to get rid from pestwares.
Run HijackThis and check to fix if present the following items:
(Make sure all browser and all Windows Explorer windows are closed before fixing)
Running Processes:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kiukgy.exe
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKCU\..\Run: [LwttRTc3W] broycc.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl
Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} -
http://69.56.176.227/webplugin.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration)
- https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
Once you have selected all these the items, press the Fix Checked
button to remove the pests from your computer.
After fix all these items reboot your computer in Safe Mode, for instructions see:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
Make sure you can view hidden and system files:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Now, if still present in your computer, delete the files:
· C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kiukgy.exe
· broycc.exe (you must search for its location using the Windows' search tool)
Reboot your computer in Normal mode and test your browser.
I hope that these tasks clean your computer from pests. Please run
again HijackThis and post the new log after the last reboot of your
computer to see if it is clean.
Important note:
You have installed several antispyware programs, one of them have a dubious repute:
"CastleCops EnigmaPopupStop EnigmaPopupStop.exe":
http://castlecops.com/startuplist-5831.html
I suggest you to uninstall this program.
Please feel free to request for a clarificatioon if you have doubts or
need further assistance on this topic. I will be glad to respond your
requests.
Best regards.
livioflores-ga |
Request for Answer Clarification by
bsieber-ga
on
14 Dec 2004 17:57 PST
It looks like I still have a ways to go, I'm still getting popup ads and redirects.
I uninstalled EnigmaPopupStop.
I followed the procedures as directed in Safe Mode. I found no broycc.exe
I did find kiukgy.exe in the starup but deleted that file.
I am posting below the latest HJT log (after rebooting from Safe Mode)
THANK YOU AGAIN! I hope we can lick this thing!
Logfile of HijackThis v1.98.2
Scan saved at 7:43:44 PM, on 12/14/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\vcivay.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Barry Sieber\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://home.netscape.com/"); (C:\Documents and Settings\Barry
Sieber\Application Data\Mozilla\Profiles\default\xs8dq9cs.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src");
(C:\Documents and Settings\Barry Sieber\Application
Data\Mozilla\Profiles\default\xs8dq9cs.slt\prefs.js)
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} -
C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program
Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /0
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program
Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O8 - Extra context menu item: Translate into English -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21}
- C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: SWFDecompiler -
{E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program
Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler -
{E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program
Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://software-dl.real.com/13c888a97d2be1836122/netzip/RdxIE601.cab
|
Clarification of Answer by
livioflores-ga
on
14 Dec 2004 20:23 PST
Hi again!!!
I think that we must kick harder, please start doing the following:
Remember to disable System Restore if your operating system is Windows Me or XP.
First of all scan your computer to see if it is infected with some
known virus or trojans, preferably use an online scan because the
installed antivirus could be hijacked too.
I suggest you to use the following free services:
"Trend Micro - Free online virus Scan":
http://housecall.trendmicro.com/
GFI - Free online Trojan scanner", an online tool dedicated to detect
trojans in your computer:
http://www.trojanscan.com/
Note: if you prefer to use your installed antivirus software, connect to
Internet and update the virus definitions.
-----------------------------------------------------------
Then you must scan your computer to detect spyware, adware or other type of
badware. To do this you can perform an online scan or run an
antispyware software:
Online spyware scanner:
"PestPAtrol's free online spyware scanner":
Remember to disable System Restore if your operating system is Windows Me or XP.
1- Scan your computer for virus or trojans, preferably an online scan
(because the installed antivirus could be hijacked too!!). Try with
the following free services:
"Trend Micro - Free online virus Scan":
http://housecall.trendmicro.com/
GFI - Free online Trojan scanner", an online tool dedicated to detect
trojans in your computer:
http://www.trojanscan.com/
Note: if you want to use your installed antivirus software, connect to
Internet and update the virus definitions.
-----------------------------------------------------------
2- Scan your computer to detect spyware, adware or other type of
badware. To do this you can perform an online scan or run an
antispyware software:
Online spyware scanner:
"PestPAtrol's free online spyware scanner":
http://www.pestscan.com/ScanOrTrial.asp
Anti Spyware software:
"Ad-aware" from Lavasoft: (freeware)
I strongly suggest you to download and run this soft and let it fix
all that it found.
http://lavasoft.element5.com/support/download/
---------------------------------------------------------
After the above taskare finished please reboot your computer and run
HijackThis and check to fix if still present the following items:
Running processes:
C:\WINDOWS\system32\vcivay.exe
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
Note: Change the properties for HOSTS file from "Read only", HJT must change it!!!
---------------------------------------------------
I hope this helps you to clean your computer, and remember that this
answer is not considered finished until you feel satisfied with it, so
do not hesitate to use the clarification feature all the times that
you need it.
Regards.
livioflores-ga
|
Clarification of Answer by
livioflores-ga
on
15 Dec 2004 08:25 PST
I hope that the last part of my clarification do not confuse you,
there was an editing trouble, I repost here the correct version:
Remember to disable System Restore if your operating system is Windows Me or XP.
First of all scan your computer to see if it is infected with some
known virus or trojans, preferably use an online scan because the
installed antivirus could be hijacked too.
I suggest you to use the following free services:
"Trend Micro - Free online virus Scan":
http://housecall.trendmicro.com/
GFI - Free online Trojan scanner", an online tool dedicated to detect
trojans in your computer:
http://www.trojanscan.com/
Note: if you prefer to use your installed antivirus software, connect
to Internet and update the virus definitions.
-----------------------------------------------------------
Then you must scan your computer to detect spyware, adware or other type of
badware. To do this you can perform an online scan or run an antispyware software:
Online spyware scanner:
"PestPAtrol's free online spyware scanner":
http://www.pestscan.com/ScanOrTrial.asp
Anti Spyware software:
"Ad-aware" from Lavasoft: (freeware)
I strongly suggest you to download and run this soft and let it fix
all that it found.
http://lavasoft.element5.com/support/download/
---------------------------------------------------------
After the above tasks are finished please reboot your computer and run
HijackThis and check to fix if still present the following items:
Running processes:
C:\WINDOWS\system32\vcivay.exe
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
Note: Change the properties for HOSTS file from "Read only", HJT must change it!!!
---------------------------------------------------
I hope that this clarify the above clarification.
Thank you for your understanding.
livioflores-ga
|
Request for Answer Clarification by
bsieber-ga
on
16 Dec 2004 19:46 PST
Hello!
Whew! That took awhile! The scans I mean.
First I went into safe mode and logged into the administator account
so I could disable System Restore since I'm operating Windows XP.
Trend Micro Found six Trojans and deleted. I have decided to uninstall
Norton and install Trend Micro as my virus protection system. Next, I
ran Ad-Aware and quarantined. I decided also to purchase PestPatrol
and did a full scan and removal of adware, spyware, etc.
After rebooting my system after each of the above changes, I have now
done a HJT log which I am posting below:
Logfile of HijackThis v1.98.2
Scan saved at 9:19:57 PM, on 12/16/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\vcivay.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Barry Sieber\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://home.netscape.com/"); (C:\Documents and Settings\Barry
Sieber\Application Data\Mozilla\Profiles\default\xs8dq9cs.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src");
(C:\Documents and Settings\Barry Sieber\Application
Data\Mozilla\Profiles\default\xs8dq9cs.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend
Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvjvm32.exe
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program
Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /0
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program
Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O8 - Extra context menu item: Translate into English -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21}
- C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: SWFDecompiler -
{E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program
Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler -
{E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program
Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) -
http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
(PPSDKActiveXScanner.MainScreen) -
http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://software-dl.real.com/13c888a97d2be1836122/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
- http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
As you can see, I'm still getting some pests. It is interesting to
note that when I attempt to eliminate the second 01 Host (netscape), I
receive an error message stating "Permission Denied". I have e-mailed
the HJT contact person that comes up on the dialog box and included
the same log I have here. I went ahead and did a Fix this for a tool
bar (I believe it is an 03 in the HJT log) that kept coming up in IE
but everytime I did, I would get a folder called "Backups" on my
desktop full of some sort of files. I haven't seen them since I have
run the latest pestware software so I hope that took care of the
problem.
Any more advice or tips will certainly be welcomed.
Thanks again as always!
|
Clarification of Answer by
livioflores-ga
on
16 Dec 2004 22:48 PST
Hi again!!
The HJT log looks a little better, but there are a couple of files
that I cannot identify with any known program and they must be
deleted.
They are:
C:\WINDOWS\system32\vcivay.exe
C:\windows\system32\kalvjvm32.exe
My suggestion here is to check to fix the following items:
C:\WINDOWS\system32\vcivay.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvjvm32.exe
Then reboot in safe mode and delete if still present:
C:\WINDOWS\system32\vcivay.exe
C:\windows\system32\kalvjvm32.exe
TRy also running this tool: CWShredder
http://cwshredder.net/bin/CWShredder.exe
Good luck!! And remember to continue using the clarification feature
if you need further assistance.
|
Request for Answer Clarification by
bsieber-ga
on
17 Dec 2004 14:40 PST
Hello again!
I ran HJT and fixed the following items:
C:\WINDOWS\system32\vcivay.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvjvm32.exe
Next, I rebooted in safe mode and deleted these two files:
C:\WINDOWS\system32\vcivay.exe
C:\windows\system32\kalvjvm32.exe
I rebooted normally and ran HJT.(Log is below). I also found another
tool on the web called Bazooka Scanner which generates a log for
adware/malware/etc. I have that log below the log for HJT. I am not
familiar with editing registry values. Information from CW Shredder
(as well as Bazooka Scanner) indicate I may have some things that I
need to take care of in registry. If you could direct me to resources
to help me do this successfully, that would be great. I know this is a
tricky process and would rather not do it manually. I also know I
could if given good information and about how to edit/delete registry
keys after making a registry backup. I'm not certain if this is your
area, but would like to find out.
Thank you so much so far for everything.
Logfile of HijackThis v1.98.2
Scan saved at 4:22:30 PM, on 12/17/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kiukgy.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\FirstClass\Fcc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Barry Sieber\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://home.netscape.com/"); (C:\Documents and Settings\Barry
Sieber\Application Data\Mozilla\Profiles\default\xs8dq9cs.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src");
(C:\Documents and Settings\Barry Sieber\Application
Data\Mozilla\Profiles\default\xs8dq9cs.slt\prefs.js)
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend
Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program
Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program
Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /0
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program
Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program
Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O8 - Extra context menu item: Translate into English -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21}
- C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: SWFDecompiler -
{E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program
Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler -
{E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program
Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) -
http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
(PPSDKActiveXScanner.MainScreen) -
http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://software-dl.real.com/13c888a97d2be1836122/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
- http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
****************************************
Bazooka Scanner v1.13.02
http://www.kephyr.com/spywarescanner/
http://www.kephyr.com/spywarescanner/library/
support@kephyr.com
Log created 14:25:22.
OS: Windows NT 5.1
Database version: 2.220000
Database format version: 1.020000
Database date: 20040806
Current date: 2004-12-17 14:25
****************************************
Result when scanning:
MS Media Player GUID 404.888.000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Settings\Client ID
http://www.kephyr.com/spywarescanner/library/msmediaplayerguid/index.phtml
****************************************
Auto start entries:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
C:\Program Files\interMute\SpySubtract\SpySub.exe -autostart
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
C:\Program Files\interMute\SpySubtract\SpySub.exe -autostart
C:\Documents and Settings\Barry Sieber\Start Menu\Programs\Startup\DESKTOP.INI
C:\Program Files\SpywareGuard\sgmain.exe
C:\Documents and Settings\Barry Sieber\Start Menu\Programs\Startup\DESKTOP.INI
C:\Program Files\SpywareGuard\sgmain.exe
Go here to analyse the startup entries and the associated files:
http://www.kephyr.com/filedb/index.php
****************************************
Run entries:
TkBellExe "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
pccguide.exe "C:\Program Files\Trend Micro\Internet Security
2005\pccguide.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\pccguide.exe
eTrust PestPatrol Active Protection "C:\Program Files\CA\eTrust
PestPatrol\PPActiveDetection.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\eTrust
PestPatrol Active Protection
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\
Mozilla Quick Launch "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla
Quick Launch
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SpySweeper
Go here to analyse the run entries and the associated files:
http://www.kephyr.com/filedb/index.php
****************************************
Browser helper objects:
****************************************
Toolbars:
{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} Error when opening a registry
key, the key doesn't exist. Key:
HKEY_CLASSES_ROOT\CLSID\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}\InprocServer32
System error message: The system cannot find the file specified.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Toolbar\ShellBrowser\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}
{2318C2B1-4965-11D4-9B18-009027A5CD4F} c:\program files\google\googletoolbar1.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Toolbar\ShellBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{01E04581-4EEE-11D0-BFE9-00AA005B4383} C:\WINDOWS\System32\browseui.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Toolbar\WebBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383}
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} Error when opening a registry
key, the key doesn't exist. Key:
HKEY_CLASSES_ROOT\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\InprocServer32
System error message: The system cannot find the file specified.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Toolbar\WebBrowser\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
{2318C2B1-4965-11D4-9B18-009027A5CD4F} c:\program files\google\googletoolbar1.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Toolbar\WebBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} Error when opening a registry
key, the key doesn't exist. Key:
HKEY_CLASSES_ROOT\CLSID\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}\InprocServer32
System error message: The system cannot find the file specified.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Toolbar\WebBrowser\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}
{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} Error when opening a registry
key, the key doesn't exist. Key:
HKEY_CLASSES_ROOT\CLSID\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}\InprocServer32
System error message: The system cannot find the file specified.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Toolbar\WebBrowser\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}
{014DA6C9-189F-421A-88CD-07CFE51CFF10} Error when opening a registry
key, the key doesn't exist. Key:
HKEY_CLASSES_ROOT\CLSID\{014DA6C9-189F-421A-88CD-07CFE51CFF10}\InprocServer32
System error message: The system cannot find the file specified.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Toolbar\WebBrowser\{014DA6C9-189F-421A-88CD-07CFE51CFF10}
{0E5CBF21-D15F-11D0-8301-00AA005B4383} C:\WINDOWS\system32\SHELL32.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383}
{825CF5BD-8862-4430-B771-0C15C5CA8DEF} C:\WINDOWS\EliteToolBar\EliteToolBar
version 58.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Toolbar\WebBrowser\{825CF5BD-8862-4430-B771-0C15C5CA8DEF}
{4528BBE0-4E08-11D5-AD55-00010333D0AD} Error when opening a registry
key, the key doesn't exist. Key:
HKEY_CLASSES_ROOT\CLSID\{4528BBE0-4E08-11D5-AD55-00010333D0AD}\InprocServer32
System error message: The system cannot find the file specified.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer
Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
{4D5C8C25-D075-11d0-B416-00C04FB90376} C:\WINDOWS\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer
Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
{FE54FA40-D68C-11d2-98FA-00C0F0318AFE} C:\WINDOWS\System32\Shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer
Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
{32683183-48a0-441b-a342-7c2a440a9478} Error when opening a registry
key, the key doesn't exist. Key:
HKEY_CLASSES_ROOT\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\InprocServer32
System error message: The system cannot find the file specified.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer
Bars\{32683183-48a0-441b-a342-7c2a440a9478}
{4528BBE0-4E08-11D5-AD55-00010333D0AD} Error when opening a registry
key, the key doesn't exist. Key:
HKEY_CLASSES_ROOT\CLSID\{4528BBE0-4E08-11D5-AD55-00010333D0AD}\InprocServer32
System error message: The system cannot find the file specified.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer
Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3} C:\Program Files\Microsoft
Money\System\mnyviewer.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer
Bars\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}
{EFA24E64-B078-11D0-89E4-00C04FC9E26E} C:\WINDOWS\System32\shdocvw.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer
Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
****************************************
All processes:
[System Process]
System
smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
BRSVC01A.EXE
BRSS01A.EXE
spoolsv.exe
Nhksrv.exe
CDANTSRV.EXE
CTSVCCDA.EXE
ActivityDisk.exe
KodakCCS.exe
PcCtlCom.exe
ScsiAccess.EXE
svchost.exe
Tmntsrv.exe
tmproxy.exe
MsPMSPSv.exe
TmPfw.exe
alg.exe
rundll32.exe
explorer.exe
realsched.exe
devldr32.exe
pccguide.exe
PPActiveDetection.exe
SpySub.exe
sgmain.exe
sgbhp.exe
spywarescanner.exe
Go here to analyse the running processes:
http://www.kephyr.com/filedb/index.php
****************************************
Internet Explorer Settings:
Default_Page_URL http://www.dellnet.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
Local Page %SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
Search Page http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
Start Page ://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
SearchAssistant ://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
CustomizeSearch http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\
www http://
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\www
://www.google.com/keyword/%s
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\
provider gogl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\provider
Default_Page_URL http://www.dellnet.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
Local Page C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
Search Bar ://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
Search Page ://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
Start Page ://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
Use Search Asst no
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Use Search Asst
User Stylesheet
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Styles\User Stylesheet
****************************************
|
Clarification of Answer by
livioflores-ga
on
17 Dec 2004 20:24 PST
Hi!!
Thank you for the good rating and the generous tip!!
Except for the HOST section:
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
your HJT log appears to be clean.
I want to do a question to you: Did you close all the opened windows
of the web browser before click on the fix button of HJT?
If not please do it and fix again the HOST's items.
For modify the registry, if you know which are the registry entries to
be modified and/or deleted, see the following pages:
"How to back up, edit, and restore the registry in Windows XP and
Windows Server 2003":
http://support.microsoft.com/kb/322756/en-us
"How to use the Windows Registry Editor":
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2000060422485506
"Backing up the Windows registry ":
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617?OpenDocument&ExpandSection=1&Src=sec_doc_nam
"Editing the Registry":
http://www.winguides.com/registry/article.php?id=1&page=3
I hope that this helps you and remember that I am here for answer any
request of further assistance that you need on this topic.
Best regards.
livioflores-ga
|
Request for Answer Clarification by
bsieber-ga
on
20 Dec 2004 19:18 PST
At long last, I have my computer clean! No more pop ups and my HJT log
and HOSTS file is clean. The problem was a Malware variant called VX2.
When I scanned my computer with AdAware and removed all possible
threats, I would receive an error message stating that something could
not be removed (it was some file in the registry, with a .dll
extension). With some research, I found this to associated with the
VX2 Malware variant. It seems to be a spyware redirector that places
files on your desktop and redirects your browser.
A forum on the Lavasoft website instructed me on how to get rid of the
VX2 with a few utility programs to download (and had a little trouble
doing so since the Malware programmed against doing so). Here is the
web address regarding the VX2 elimination:
http://www.lavasoftsupport.com/index.php?showtopic=54511&st=0&#entry369882
The latest copy of my HJT log is below. If you see any problems that
need further attention that would be appreciated!
Thanks again for your help. The Trend Micro and AdAware were the best
suggestions. Trend Micro found several trojans my previously used
virus programs were not detecting....
Logfile of HijackThis v1.98.2
Scan saved at 9:10:25 PM, on 12/20/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Barry Sieber\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage",
"://www.google.com/"); (C:\Documents and Settings\Barry
Sieber\Application Data\Mozilla\Profiles\default\xs8dq9cs.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src");
(C:\Documents and Settings\Barry Sieber\Application
Data\Mozilla\Profiles\default\xs8dq9cs.slt\prefs.js)
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend
Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program
Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program
Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /0
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program
Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program
Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O8 - Extra context menu item: Translate into English -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21}
- C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: SWFDecompiler -
{E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program
Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler -
{E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program
Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) -
http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
(PPSDKActiveXScanner.MainScreen) -
http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://software-dl.real.com/13c888a97d2be1836122/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
- http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
|
Clarification of Answer by
livioflores-ga
on
20 Dec 2004 21:25 PST
Wow!! You did it!!
Your HJT log appears to be clean to me, great news!!
I hope that you keep it clean for a looong time.
Remember to update at least one time per week all your security
products, specially AdAware, PestPatrol and the Trend Micro Antivirus.
If you keep them updated (preferably using the auto-update features
when available) will help to keep your computer free of pestwares.
Best regards.
livioflores-ga
|
