[I really need helpwith my log please!] -
I really need helpwith my log please!
Discuss I really need helpwith my log please!
Posted by: kings
Hello: I have problems with pop ups and programs that are installed in my machine.
I am using IE 6.0 and Mozilla Firefox 0.9.2
I have Norton Antivirus
And I ran all the lastest version of ad-aware se personal (it finds more than 200 new critical objects but after clean my computer up all those objects are back in my machine) and spybot but the problem persits. I think that the sidefind program is the origin of all my troubles.
I really appreciate any help, i use this computer to work. Thanks so much.
My log is:
Logfile of HijackThis v1.98.0
Scan saved at 10:59:40 PM, on 4/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Fkzwhum\Uyasjig.exe
C:\WINDOWS\qkidgj.exe
C:\WINDOWS\system32\ipiini.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\program files\180solutions\sais.exe
C:\WINDOWS\system32\Enchga.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\ofor\oform.exe
C:\PROGRA~1\COMMON~1\ofor\ofora.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT-98\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.comcast.net/[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [WINDOWSflashbrg] C:\WINDOWS\sqldata1.exe
O4 - HKLM\..\Run: [s4rOGX2] C:\WINDOWS\qkidgj.exe
O4 - HKLM\..\Run: [ctorwn] C:\WINDOWS\ctorwn.exe
O4 - HKLM\..\Run: [Yyqzhima] C:\Program Files\Fkzwhum\Uyasjig.exe
O4 - HKLM\..\Run: [Á�³# K"h'þ9Óœ÷3rÅ�WC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\qkidgj.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\ipiini.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Ldtuhn.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Enchga.exe
O4 - HKLM\..\Run: [krepwlcf] C:\WINDOWS\krepwlcf.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ofor] C:\PROGRA~1\COMMON~1\ofor\oform.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - [url]http://www.comcast.net/[/url] (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - [url]http://www.comcastsupport.com/[/url] (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - [url]http://online.comcast.net/help/[/url] (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: Yahoo! Bingo - [url]http://download.games.yahoo.com/games/clients/y/xt0_x.cab[/url]
O16 - DPF: Yahoo! Chess - [url]http://download.games.yahoo.com/games/clients/y/ct2_x.cab[/url]
O16 - DPF: Yahoo! Pool 2 - [url]http://download.games.yahoo.com/games/clients/y/potd_x.cab[/url]
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - [url]http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab[/url]
O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - [url]http://www.snapfish.com/SnapfishUpload.cab[/url]
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - [url]http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab[/url]
O16 - DPF: {812A5592-FBF0-4D40-B0EF-CEA668406C0C} (Herramienta de carga de Yahoo! Fotos Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3es.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab[/url]
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - [url]http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab[/url]
Posted by: Lobos
Hello kings Welcome to Tech forums
===============
Download, unzip to your desktop [url=http://www.intermute.com/spysubtract/cwshredder_download.html]CWShredder[/url] and run it, then:
1. Click "[b][i]Check For Update[/i][/b]" make sure your version is 2.14
([i]If an update isn't available, skip to step #4.[/i])
2. Click "[b][i]Click here to Download the upate[/i][/b]".
3. When the new version has been downloaded, click "[b][i]Save[/i][/b]".
4. Click "[b][i]Fix ->[/i][/b]"
===============
Let's look for, and delete, any program segments([i]prefetches[/i]) that might be present, and are associated with the '[i]problems[/i]' we're trying to remove from this system. To do this, let's:
1) Click "[b][i]Start | Search[/i][/b]", then search for each of these program's [i]base name(s)[/i], in all files and folders:
[b][color=#ff0000]ofora.exe*[/color][/b]
2) Then if any are found in the '[i]prefetch[/i]' folder, delete them.
Look closely, since the '[i]base[/i]' name will have a bunch of random numbers and letters attached to it.
===============
Go to [b]Add/Remove programs[/b] and remove(uninstall) the following, if present:
[b][color=#ff0000]180 Solutions[/color][/b]
[b][color=#ff0000]Internet Optimizer[/color][/b]
[b][color=#ff0000]SideFind[/color][/b]
[b][color=#ff0000]Virtual Bouncer[/color][/b]
The above could appear anywhere within the entry. Be careful not to remove any [i]personal[/i] or [i]system[/i] software.
===============
Download the [url=http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html]Adware.Istbar[/url] removal utility from Symantec and following the instructions on the same page.
===============
Download [url=http://www.cexx.org/lspfix.htm ]LSPFix[/url] and unzip to your desktop, then run it. Now, we need to:
1. check(tick) "[b][i]I know what i'm doing[/i][/b]".
2. click on (highlight) each occurance of the following, one at a time:
[color=#ff0000][b]calsp.dll[/b][/color]
3. then click "[b][i]>>[/i][/b]", mo'ing each one, individually, to the 'Remove' pane.
4. [color=#ff0000][i](double-check, and make sure that only the above files are in the 'Remove'pane.)[/i][/color]
5. click "[b][i]Finish >>[/i][/b]"
===============
Download, then unzip to "[b]C:\HJT[/b]", the newest version of [url=http://www.spywareinfo.com/~merijn/files/hijackthis.zip]HiJackThis[/url]; [i]version 1.99.1[/i]. Then repost your log, either now, or after following the steps in the solution ([i]if provided in this post[/i]). [color=#ff0000][i]This version has features that might be more helpful in 'cleaning' up your system[/i][/color].
===============
Run [b]HiJackThis[/b] then:
1. Click "[b][i]Config...[/i][/b]"
2. Click "[b][i]Misc Tools[/i][/b]"
3. Click "[b][i]Open Process manager[/i][/b]"
-
Next, while holding down the [b]CTRL[/b] key, locate ([i]if present[/i]) and click on ([i]highlight[/i]) each of the following:
[b][color=#000000]C:\Program Files\Fkzwhum\[/color][color=#ff0000]Uyasjig.exe[/color][/b]
[b][color=#000000]C:\WINDOWS\[/color][color=#ff0000]qkidgj.exe[/color][/b]
[b][color=#000000]C:\WINDOWS\system32\[/color][color=#ff0000]ipiini.exe[/color][/b]
[b][color=#000000]C:\Program Files\ISTsvc\[/color][color=#ff0000]istsvc.exe[/color][/b]
[b][color=#000000]C:\Program Files\Internet Optimizer\[/color][color=#ff0000]optimize.exe[/color][/b]
[b][color=#000000]C:\program files\180solutions\[/color][color=#ff0000]sais.exe[/color][/b]
[b][color=#000000]C:\WINDOWS\system32\[/color][color=#ff0000]Enchga.exe[/color][/b]
[b][color=#000000]C:\PROGRA~1\COMMON~1\ofor\[/color][color=#ff0000]oform.exe[/color][/b]
[b][color=#000000]C:\PROGRA~1\COMMON~1\ofor\[/color][color=#ff0000]ofora.exe[/color][/b]
Now double-check and make sure that only those item(s) above are highlighted, then click "[b][i]Kill process[/i][/b]". Now, click "[b][i]Refresh[/i][/b]", check again, and repeat this step if any remain.
===============
Now, let's open a [b]command prompt[/b] and unregister the dll(s) we're going to remove, by entering the following:
[b][color=#000099]regsvr32 /u[/color] [color=#ff0000]nem220.dll[/color][/b]
[b][color=#000099]regsvr32 /u[/color] [color=#ff0000]sfbho.dll[/color][/b]
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.
===============
Run [b]HiJackThis[/b] and click "[b][i]Scan[/i][/b]", then check(tick) the following, if present:
[color=#9933cc][b] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa [/b][/color]
[color=#9933cc][b] R3 - Default URLSearchHook is missing [/b][/color]
[color=#9933cc][b] O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll [/b][/color]
[color=#9933cc][b] O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL (file missing) [/b][/color]
[color=#9933cc][b] O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [s4rOGX2] C:\WINDOWS\qkidgj.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [ctorwn] C:\WINDOWS\ctorwn.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [Yyqzhima] C:\Program Files\Fkzwhum\Uyasjig.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [Á�³# K"h'þ9Óœ÷3rÅ�WC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\qkidgj.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\ipiini.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Ldtuhn.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Enchga.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [krepwlcf] C:\WINDOWS\krepwlcf.exe [/b][/color]
[color=#9933cc][b] O4 - HKCU\..\Run: [ofor] C:\PROGRA~1\COMMON~1\ofor\oform.exe [/b][/color]
[color=#9933cc][b] O4 - Global Startup: Image Transfer.lnk = ? [/b][/color]
[color=#9933cc][b] O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll [/b][/color]
Now, with all windows closed except [b]HiJackThis[/b], click "[b][i]Fix checked[/i][/b]".
===============
Locate and [color=#ff0000][i]delete the following item(s)[/i][/color], if present. Make sure your able to view system and hidden files/ folders:
[i]folders...[/i]
[b]C:\Program Files\[color=#ff0000]Fkzwhum[/color][/b]
[b]C:\Program Files\[color=#ff0000]ISTsvc[/color][/b]
[b]C:\Program Files\[color=#ff0000]Internet Optimizer[/color][/b]
[b]C:\program files\[color=#ff0000]180solutions[/color][/b]
[b]C:\PROGRA~1\COMMON~1\[color=#ff0000]ofor[/color][/b]
[b]C:\PROGRA~1\[color=#ff0000]Toolbar[/color][/b]
[b]C:\Program Files\[color=#ff0000]SideFind[/color][/b]
[b]C:\PROGRA~1\[color=#ff0000]VBouncer[/color][/b]
[b]h'þ9Óœ÷3rÅ�WC:\Program Files\[color=#ff0000]ISTsvc[/color][/b]
[i]files...[/i]
[b]C:\WINDOWS\[color=#ff0000]qkidgj.exe[/color][/b]
[b]C:\WINDOWS\system32\[color=#ff0000]ipiini.exe[/color][/b]
[b]C:\WINDOWS\system32\[color=#ff0000]Enchga.exe[/color][/b]
[b]C:\WINDOWS\[color=#ff0000]nem220.dll[/color][/b]
[b]C:\WINDOWS\[color=#ff0000]ctorwn.exe[/color][/b]
[b]C:\WINDOWS\system32\[color=#ff0000]Ldtuhn.exe[/color][/b]
[b]C:\WINDOWS\[color=#ff0000]krepwlcf.exe[/color][/b]
[b]c:\windows\system32\[color=#ff0000]calsp.dll[/color][/b]
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '[i]in use[/i]', try deleting them from "[url=http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam]Safe Mode[/url]".
===============
Go to [url=http://www.trendmicro.com/en/home/us/enterprise.htm]www.trendmicro.com[/url], and then:
1. Click "[b][i]Free Online Scan[/i][/b]".
2. Click "[b][i]Scan now, it's free[/i][/b]".
It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:
1. Select all available drives.
2. Check(tick) "[b][i]Auto Clean[/i][/b]".
3. Click "[b][i]Scan[/b][/i]".
When it completes, post back the full filename of any files that cannot be cleaned or deleted.
Post back a new log, and let me know how everything goes.
-
Lobos.
Posted by: kings
Dear Lobos,
Thanks so much for you help. I did everything you said. When I run the free online scan I found the following virus and files that cannot be cleaned or deleted from my system:
______________________________________
virus: HTML COOLWEB.A
File: c:\Documents and settings\Daniel Reyes\Application_Data\Sun\Java\Deployment\cache\j
ava\v1.0\file\Counter.class-65b432d-33b415cb.class
virus: JAVA BYTEVER.B
File: c:\Documents and settings\Daniel Reyes\Application Data\Sun\Java\Deployment\cache\java\v1.0\jar\archive.jar-2bd63a14-50202446.zip *Dummy Class*
virus: JAVA BYTEVER.B
File: c:\Documents and settings\Daniel Reyes\Application Data\Sun\Java\Deployment\cache\java\v1.0\jar\archive.jar-4ff9adc1-2bcc1c2e.zip *Dummy Class*
virus: JAVA BYTEVER.B
File: c:\Documents and settings\Daniel Reyes\Application Data\Sun\Java\Deployment\cache\java\v1.0\jar\archive.jar-69a085d6-4b999f39.zip *Dummy Class*
Virus: JAVA BYTEVER.A
File: c:\Documents and settings\Daniel Reyes\Application Data\Sun\Java\Deployment\cache\java\v1.0\jar\loaderadv77.jar-27633014-30f58694.zip *Dummy Class*
virus: TSPY SMALL.SN
File: c:\Program Files\Dzvla\Cayucib.exe
virus: TROJ AGENT.CAC
File: C:\WINDOWS\system32\calsp.dll
virus: TROJ DYFUCA.I
File: C:\WINDOWS\wsem303.dll
________________________________
My new log is this:
Logfile of HijackThis v1.99.1
Scan saved at 11:48:01 PM, on 4/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Rdrsjr.exe
C:\Program Files\Dzvla\Cayucib.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Daniel Reyes\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.comcast.net/[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [WINDOWSflashbrg] C:\WINDOWS\sqldata1.exe
O4 - HKLM\..\Run: [Aa6Fm] C:\WINDOWS\vtwgacme.exe
O4 - HKLM\..\Run: [gtwv] C:\WINDOWS\gtwv.exe
O4 - HKLM\..\Run: [dt6erpB] C:\WINDOWS\myuid.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Bqiufu.exe
O4 - HKLM\..\Run: [pgvepgv] C:\WINDOWS\pgvepgv.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Rdrsjr.exe
O4 - HKLM\..\Run: [Ptqpgan] C:\Program Files\Dzvla\Cayucib.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - [url]http://www.comcast.net/[/url] (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - [url]http://www.comcastsupport.com/[/url] (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - [url]http://online.comcast.net/help/[/url] (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: Yahoo! Bingo - [url]http://download.games.yahoo.com/games/clients/y/xt0_x.cab[/url]
O16 - DPF: Yahoo! Chess - [url]http://download.games.yahoo.com/games/clients/y/ct2_x.cab[/url]
O16 - DPF: Yahoo! Pool 2 - [url]http://download.games.yahoo.com/games/clients/y/potd_x.cab[/url]
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - [url]http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab[/url]
O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - [url]http://www.snapfish.com/SnapfishUpload.cab[/url]
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - [url]http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {812A5592-FBF0-4D40-B0EF-CEA668406C0C} (Herramienta de carga de Yahoo! Fotos Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3es.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab[/url]
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab[/url]
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Thanks so much again. I will be waiting for instructions.
Regards,
Daniel
Posted by: Lobos
Hello
We'll need to unload (not uninstall) [b]Intermute's SpySubtract[/b], since it might interfere with other program(s) we might be using to 'clean' off your system.
===============
If you haven't tried it yet, check it out. You can now use delete on boot more easily for multiple files.
Download-locations that I know of:
[url]http://www.downloads.subratam.org/KillBox.zip[/url]
[url]http://www.atribune.org/downloads/KillBox.exe[/url]
Copy a list of paths & filenames to the clipboard. In the Killbox,
Go to the toolbar to File> Paste from clipboard.
Press the button. The entire list will be processed. That should make things a lot simpler. No more one at a time. They do have to use the function as described, though. A right click and paste will only get one file processed.
Run Killbox.
Select "Delete on Reboot".
Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
[code]
[b]C:\WINDOWS\system32\[color=#ff0000]Rdrsjr.exe[/color][/b]
[b]C:\WINDOWS\[color=#ff0000]wsem303.dll[/color][/b]
[b]C:\WINDOWS\[color=#ff0000]vtwgacme.exe[/color][/b]
[b]C:\WINDOWS\[color=#ff0000]gtwv.exe[/color][/b]
[b]C:\WINDOWS\[color=#ff0000]myuid.exe[/color][/b]
[b]C:\WINDOWS\system32\[color=#ff0000]Bqiufu.exe[/color][/b]
[b]C:\WINDOWS\[color=#ff0000]pgvepgv.exe[/color][/b]
[b]c:\Program Files\Dzvla\[color=#ff0000]Cayucib.exe[/color][/b]
[b]C:\WINDOWS\system32\[color=#ff0000]calsp.dll[/color][/b]
[b]C:\WINDOWS\[color=#ff0000]wsem303.dll[/color][/b]
[/code]
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
===============
Run [b]HiJackThis[/b] then:
1. Click "[b][i]Config...[/i][/b]"
2. Click "[b][i]Misc Tools[/i][/b]"
3. Click "[b][i]Open Process manager[/i][/b]"
-
Next, while holding down the [b]CTRL[/b] key, locate ([i]if present[/i]) and click on ([i]highlight[/i]) each of the following:
[b][color=#000000]C:\WINDOWS\system32\[/color][color=#ff0000]Rdrsjr.exe[/color][/b]
[b][color=#000000]C:\Program Files\Dzvla\[/color][color=#ff0000]Cayucib.exe[/color][/b]
Now double-check and make sure that only those item(s) above are highlighted, then click "[b][i]Kill process[/i][/b]". Now, click "[b][i]Refresh[/i][/b]", check again, and repeat this step if any remain.
===============
Now, let's open a [b]command prompt[/b] and unregister the dll(s) we're going to remove, by entering the following:
[b][color=#000099]regsvr32 /u[/color] [color=#ff0000]wsem303.dll[/color][/b]
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.
===============
Run [b]HiJackThis[/b] and click "[b][i]Scan[/i][/b]", then check(tick) the following, if present:
[color=#9933cc][b] O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [Aa6Fm] C:\WINDOWS\vtwgacme.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [gtwv] C:\WINDOWS\gtwv.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [dt6erpB] C:\WINDOWS\myuid.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Bqiufu.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [pgvepgv] C:\WINDOWS\pgvepgv.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Rdrsjr.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [Ptqpgan] C:\Program Files\Dzvla\Cayucib.exe [/b][/color]
Now, with all windows closed except [b]HiJackThis[/b], click "[b][i]Fix checked[/i][/b]".
===============
Locate and [color=#ff0000][i]delete the following item(s)[/i][/color], if present. Make sure your able to view system and hidden files/ folders:
[i]folders...[/i]
[b]C:\Program Files\[color=#ff0000]Dzvla[/color][/b]
reboot
===============
Post back a new log, and let me know how everything goes.
-
Lobos.
Posted by: kings
Hi Lobos: Thanks for your help. I did everything you said but I found all those anoying programs again in my machine. Really, I do not know what to do. This is my log....
Logfile of HijackThis v1.99.1
Scan saved at 10:55:31 PM, on 5/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\qevqie.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
c:\program files\180solutions\sais.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Daniel Reyes\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.comcast.net/[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRA~1\ISTbar\istbar.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [WINDOWSflashbrg] C:\WINDOWS\sqldata1.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [H2ofB3] C:\WINDOWS\qevqie.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [qlsbmbuv] C:\WINDOWS\qlsbmbuv.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - [url]http://www.comcast.net/[/url] (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - [url]http://www.comcastsupport.com/[/url] (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - [url]http://online.comcast.net/help/[/url] (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: Yahoo! Bingo - [url]http://download.games.yahoo.com/games/clients/y/xt0_x.cab[/url]
O16 - DPF: Yahoo! Chess - [url]http://download.games.yahoo.com/games/clients/y/ct2_x.cab[/url]
O16 - DPF: Yahoo! Pool 2 - [url]http://download.games.yahoo.com/games/clients/y/potd_x.cab[/url]
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - [url]http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab[/url]
O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - [url]http://www.snapfish.com/SnapfishUpload.cab[/url]
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - [url]http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {812A5592-FBF0-4D40-B0EF-CEA668406C0C} (Herramienta de carga de Yahoo! Fotos Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3es.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab[/url]
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab[/url]
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe
Posted by: Lobos
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.
Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.
For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).
===============
Boot into "[url=http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam]Safe Mode[/url]".
Go to [b]Add/Remove programs[/b] and remove(uninstall) the following, if present:
[b][color=#ff0000]180 Solutions[/color][/b]
[b][color=#ff0000]Bullseye Networks[/color][/b]
[b][color=#ff0000]Internet Optimizer[/color][/b]
[b][color=#ff0000]SideFind[/color][/b]
The above could appear anywhere within the entry. Be careful not to remove any [i]personal[/i] or [i]system[/i] software.
===============
Download the [url=http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html]Adware.Istbar[/url] removal utility from Symantec and following the instructions on the same page.
===============
Run [b]HiJackThis[/b] then:
1. Click "[b][i]Config...[/i][/b]"
2. Click "[b][i]Misc Tools[/i][/b]"
3. Click "[b][i]Open Process manager[/i][/b]"
-
Next, while holding down the [b]CTRL[/b] key, locate ([i]if present[/i]) and click on ([i]highlight[/i]) each of the following:
[b][color=#000000]C:\Program Files\ISTsvc\[/color][color=#ff0000]istsvc.exe[/color][/b]
[b][color=#000000]C:\WINDOWS\[/color][color=#ff0000]qevqie.exe[/color][/b]
[b][color=#000000]C:\Program Files\Internet Optimizer\[/color][color=#ff0000]optimize.exe[/color][/b]
[b][color=#000000]C:\Program Files\BullsEye Network\bin\[/color][color=#ff0000]bargains.exe[/color][/b]
[b][color=#000000]c:\program files\180solutions\[/color][color=#ff0000]sais.exe[/color][/b]
Now double-check and make sure that only those item(s) above are highlighted, then click "[b][i]Kill process[/i][/b]". Now, click "[b][i]Refresh[/i][/b]", check again, and repeat this step if any remain.
===============
Now, let's open a [b]command prompt[/b] and unregister the dll(s) we're going to remove, by entering the following:
[b][color=#000099]regsvr32 /u[/color] [color=#ff0000]sfbho.dll[/color][/b]
[b][color=#000099]regsvr32 /u[/color] [color=#ff0000]msbe.dll[/color][/b]
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.
===============
Run [b]HiJackThis[/b] and click "[b][i]Scan[/i][/b]", then check(tick) the following, if present:
[color=#9933cc][b] R3 - Default URLSearchHook is missing [/b][/color]
[color=#9933cc][b] O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll [/b][/color]
[color=#9933cc][b] O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [H2ofB3] C:\WINDOWS\qevqie.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [qlsbmbuv] C:\WINDOWS\qlsbmbuv.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe [/b][/color]
[color=#9933cc][b] O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll [/b][/color]
[color=#9933cc][b] O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe [/b][/color]
Now, with all windows closed except [b]HiJackThis[/b], click "[b][i]Fix checked[/i][/b]".
===============
Locate and [color=#ff0000][i]delete the following item(s)[/i][/color], if present. Make sure your able to view system and hidden files/ folders:
[i]folders...[/i]
[b]C:\Program Files\[color=#ff0000]ISTsvc[/color][/b]
[b]C:\Program Files\[color=#ff0000]Internet Optimizer[/color][/b]
[b]C:\Program Files\[color=#ff0000]BullsEye Network[/color][/b]
[b]c:\program files\[color=#ff0000]180solutions[/color][/b]
[b]C:\Program Files\[color=#ff0000]SideFind[/color][/b]
[b]C:\Program Files\[color=#ff0000]Power Scan[/color][/b]
[i]files...[/i]
[b]C:\WINDOWS\[color=#ff0000]qevqie.exe[/color][/b]
[b]C:\WINDOWS\system32\[color=#ff0000]msbe.dll[/color][/b]
[b]C:\WINDOWS\[color=#ff0000]qlsbmbuv.exe[/color][/b]
[b]C:\WINDOWS\[color=#ff0000]zeta.exe[/color][/b]
-
===============
Post back a new log, and let me know how everything goes.
-
Lobos.
Posted by: kings
Hi Lobos,
When I go to Add/Remove programs , I do not have the 180 solution. I do have Uninstall 180sarch Assistant but when I tried to unistall it, it says that I have to be connected to internet to be able to uninstall it.
With respect to The BullsEye Network when I remove it nothing happens. It is still in my sistem.
I did do anything else, I prefer to wait for your opinion.
Thanks a lot.
Kings
Posted by: Lobos
try and complete as much as you can and we will finish what left
Posted by: kings
hello Lobos,
After doing what you told me to do, this is my log. (after reboot my computer).
Logfile of HijackThis v1.99.1
Scan saved at 8:51:31 PM, on 5/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Daniel Reyes\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.comcast.net/[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [WINDOWSflashbrg] C:\WINDOWS\sqldata1.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - [url]http://www.comcast.net/[/url] (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - [url]http://www.comcastsupport.com/[/url] (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - [url]http://online.comcast.net/help/[/url] (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: Yahoo! Bingo - [url]http://download.games.yahoo.com/games/clients/y/xt0_x.cab[/url]
O16 - DPF: Yahoo! Chess - [url]http://download.games.yahoo.com/games/clients/y/ct2_x.cab[/url]
O16 - DPF: Yahoo! Pool 2 - [url]http://download.games.yahoo.com/games/clients/y/potd_x.cab[/url]
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - [url]http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab[/url]
O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - [url]http://www.snapfish.com/SnapfishUpload.cab[/url]
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - [url]http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {812A5592-FBF0-4D40-B0EF-CEA668406C0C} (Herramienta de carga de Yahoo! Fotos Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3es.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab[/url]
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab[/url]
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
_________________________________
I did not find any of these programas:
C:\WINDOWS\qevqie.exe
C:\WINDOWS\system32\msbe.dll
C:\WINDOWS\qlsbmbuv.exe
I do find a prefetch qevqie.exe tought. I erased it as well as one ISTVS.exe, BARGANS.EXE and Powerscan.exe...
So far, my system looks fine, doesn't it?
Kings
Posted by: Lobos
Now, let's open a [b]command prompt[/b] and unregister the dll(s) we're going to remove, by entering the following:
[b][color=#000099]regsvr32 /u[/color] [color=#ff0000]wsem303.dll[/color][/b]
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.
===============
Run [b]HiJackThis[/b] and click "[b][i]Scan[/i][/b]", then check(tick) the following, if present:
[color=#9933cc][b] O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll [/b][/color]
[color=#9933cc][b] O4 - HKLM\..\Run: [WINDOWSflashbrg] C:\WINDOWS\sqldata1.exe [/b][/color]
Now, with all windows closed except [b]HiJackThis[/b], click "[b][i]Fix checked[/i][/b]".
===============
Locate and [color=#ff0000][i]delete the following item(s)[/i][/color], if present. Make sure your able to view system and hidden files/ folders:
[i]files...[/i]
[b]C:\WINDOWS\[color=#ff0000]wsem303.dll[/color][/b]
[b]C:\WINDOWS\[color=#ff0000]sqldata1.exe[/color][/b]
reboot
since you had alot on the system lets see if any of the online scanners pickup anything
Please run these two online scans. Make sure they are set to clean automatically:
[URL=http://housecall.trendmicro.com/]TrendMicro's HouseCall[/URL]
[URL=http://www.pandasoftware.com/activescan/]ActiveScan[/URL]
You should try to delete any files that these scanners are unable to clean. Then let us know if its working better and what the scans found.
Then scan again with HijackThis and post another log. along with the av logs if it could not clean something
===============
Post back a new log, and let me know how everything goes.
-
Lobos
Posted by: kings
Hello Lobos,
This is my new Log. Thanks again.
Logfile of HijackThis v1.99.1
Scan saved at 12:27:54 AM, on 5/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Daniel Reyes\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.comcast.net/[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - [url]http://www.comcast.net/[/url] (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - [url]http://www.comcastsupport.com/[/url] (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - [url]http://online.comcast.net/help/[/url] (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: Yahoo! Bingo - [url]http://download.games.yahoo.com/games/clients/y/xt0_x.cab[/url]
O16 - DPF: Yahoo! Chess - [url]http://download.games.yahoo.com/games/clients/y/ct2_x.cab[/url]
O16 - DPF: Yahoo! Pool 2 - [url]http://download.games.yahoo.com/games/clients/y/potd_x.cab[/url]
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - [url]http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab[/url]
O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - [url]http://www.snapfish.com/SnapfishUpload.cab[/url]
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - [url]http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {812A5592-FBF0-4D40-B0EF-CEA668406C0C} (Herramienta de carga de Yahoo! Fotos Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3es.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url]
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab[/url]
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Posted by: Lobos
your computer looks clean
If your computer is running fine then read below
To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial [url]http://www.greyknight17.com/spyware.htm#prevent[/url] and use the tools/programs provided.
Posted by: kings
Thanks so much for you help!
Posted by: Lobos
Your welcome happy surfing
Posted by: Warez Monster
Remove these files at your own risk
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL Entries found in this registry zone are potentially nasty. This application ([B2847E28-5D7D-4DEB-8B67-05D28BCF79F5] - Result: B2847E28-5D7D-4DEB-8B67-05D28BCF79F5) has been checked. If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed. Must be fixed!
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/...all/xscan53.cab[/url] This entry is possibly nasty. Should be fixed.
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - [url]http://us.dl1.yimg.com/download.yah...utocomplete.cab[/url] Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!