|
Search Tech-Forums - link takes you to our Forum's search page. Note: The following is only a text archive! To view the actual forum discussion, please visit our website at http://www.tech-forums.net Pages:1 Have I cleaned up everything after hijack(Click here to view the original thread with full colors/images)Posted by: bebe Last week it appears I got a trijan WinBett and when I was in IE, pops were coming fast and furious and stuff was downloading on my machine I have performed the following Ad-Aware SE Scan E-trust virus Scan Micro Trend Sysclean Scan Microsoft AntiSyware (Beta) Sybot 1.3 Scan Hijack This I have cleane out my temporary Internet files I have also set my Active X controls to prompt These all seem to have help quite a bit, but I still think there is something hanging out there because as I am working periodically I get the Active X prompt to stop this pop-up from occuring [url]http://69.28.21.175/media/1[/url] Here is my Hijack this log. Any help would be appreciated Logfile of HijackThis v1.99.1 Scan saved at 12:05:59 PM, on 3/18/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\CA\ETRUST~1\realmon.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\CA\Common\Alert\ALERT.EXE C:\Program Files\Cisco VPN\cvpnd.exe C:\WINDOWS\SYSTEM32\DWRCS.EXE C:\CA\eTrust Antivirus\InoRpc.exe C:\CA\eTrust Antivirus\InoRT.exe C:\CA\eTrust Antivirus\InoTask.exe C:\WINDOWS\LogWatNT.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Lotus\Notes\ntmulti.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe C:\Program Files\Compuware\Application Vantage Agent\OPTSA.exe C:\WINDOWS\UMCSTUB.EXE C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\uvap9zts\uvap9zts.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\system32\RUNDLL32.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe C:\WINDOWS\system\csnlljpebm.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE C:\Program Files\Yahoo!\Messenger\ypager.exe C:\Program Files\cisco vpn\vpngui.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Cisco VPN\ipseclog.exe C:\Lotus\Notes\NLNOTES.EXE C:\Lotus\Notes\ntaskldr.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\taskmgr.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com[/url] R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]www.yahoo.com[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com[/url] R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]www.yahoo.com[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com[/url] R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url]http://support.dell.com/[/url] R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = mobile.gdls.com:8080 R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe O2 - BHO: (no name) - {01DCF4AE-0869-4659-B2F9-528225900273} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_ 7_0.dll O2 - BHO: (no name) - {047A78E9-1DE0-4FEB-9BCC-188D4F714FD6} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {271A6CFE-3CCC-432B-A7D1-359F1917E061} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {2C2D16AC-A4E8-4BAF-98B3-1E0AD957F4E9} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {3735FFB3-4E8B-4B1F-B4FF-D0180B484F0B} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {550B6227-C8E4-41E7-8456-59DB834776A1} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {8EAE4C48-6A24-4FEC-89CE-80F5D31C30E6} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {8FD024EA-E1FE-4CA1-95F1-B0746E544FB9} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {B6107C03-C1EA-4435-BB4F-F5CD188D2F1F} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {BB4F6717-0AED-430B-8D9F-4FE208728AF1} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {C4548599-97B9-4883-BDAB-320145F85D1C} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {E2CB4EF4-BFFE-448C-B0C2-C54A28960D55} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {E6A2EE30-6152-4E98-9103-4D0D2F00BBF4} - C:\Program Files\uvap9zts\uvap9zts.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_ 7_0.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Realtime Monitor] C:\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [CA-AMAgent] \\gdllsdvthshc083\amagents$\amagent.exe O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [uvap9zts] C:\Program Files\uvap9zts\uvap9zts.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16 O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1 O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [eB5tRQH7e] xcoapi32.exe O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup O4 - Global Startup: General Dynamics Land Systems VPN Client.lnk = C:\Program Files\cisco vpn\vpngui.exe O8 - Extra context menu item: &Search - [url]http://bar.mywebsearch.com/menusearch.html?p=ZSYYYYYY99US[/url] O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) O16 - DPF: Hummingbird Business Intelligence - [url]http://biweb/ADYCodebase/hclbimwe.cab[/url] O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - [url]https://imeeting.gdls.com/imtapp/res/jar/cnsload.cab[/url] O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - [url]http://is002011.gdls.com/qp2.cab[/url] O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - [url]http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe[/url] O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1099510061448[/url] O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - [url]http://ebusiness.gdls.com:8390/jinitiator/oajinit.exe[/url] O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - [url]http://www.alwaysupdatednews.com/install/aun_0032.exe[/url] O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - [url]http://oasss02h.gdls.com:7778/jinitiator/jinit.exe[/url] O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [url]http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab[/url] O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - [url]http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326[/url] O17 - HKLM\System\CCS\Services\Tcpip\..\{961E20D2-AB39-4613-8FF7-01F344052AB0}: Domain = ls.gdls.com O17 - HKLM\System\CCS\Services\Tcpip\..\{EE5A5ABD-8BF6-4364-A0B0-AA9AE9359F02}: Domain = ls.gdls.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ls.gdls.com,gdls.com,cdn.gdls.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ls.gdls.com,gdls.com,cdn.gdls.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ls.gdls.com,gdls.com,cdn.gdls.com O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\CA\Common\Alert\ALERT.EXE O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco VPN\cvpnd.exe O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\CA\eTrust Antivirus\InoTask.exe O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe O23 - Service: ApplicationVantage Agent (VantageAgent) - Compuware - C:\Program Files\Compuware\Application Vantage Agent\OPTSA.exe Posted by: bebe More information. Even if the PC is not hooked to the internet, when I click on IE, I can see it trys to go to web sites. It keeps saying connect or work offline. Also - it seems to be moving my icons around on my desktop and interrupts any games I am playing on my desktop Posted by: ApM I would install a popup blocker, I got mine free and it's great from Download.com it's called - PopupPopper 1.1 by Bayden, really easy to use and setup, blocks popup's silenty. Posted by: bebe There already is a pop-up blocker Posted by: bebe I don't think pop-up blocker will solve the issue. There is something else going on here. If I were to actually connect to the internet it would give me pop-ups galore and then I would get messages that I have trojans and then it woud start downloading software. The pop-ups are alering me of a more serious threat I believe Posted by: ApM I didn't say it would solve the problem, I was simply saying get a pop-up blocker if you didn't have one. Have you tryed running all the removal tools in safemode? It sometimes can help, If you get connect to the internet in safemode or non, try using TrendMirco new Beta Anti-virus and Spyware cleaner located on there website. Posted by: bebe All were done in safe mode after being done not insafe mode Posted by: Lobos Did you get your computer clean ? if so may we see another HIjack this log Posted by: bebe This was the latest hijack this log after all scans. Have not used that computer since Posted by: rstones12 bebe, As Lobos has suggested, can you please post a new HJT log, it has been a few days and we would like to see an updated log. You do have some issues we need to clean up. Thanks, rstones12 Posted by: bebe I can do that, but the log I posted was the latest log. I have not even used that PC since. I am using another PC at another location to post replies Posted by: rstones12 bebe, Do this on the PC that is infected. We are going to need to remove a few things, but first I would like you do to the following: The reason I am asking for these first initial steps is that it can clear up some items in the first part of the fix if needed. I have outlined some preliminary steps that we need to address. [b]You may want to print out these intructions for reference.[/b] This process will take a few steps so please be patient and follow the provided directions. [b][1.][/b] First Download [url=http://cwshredder.net/bin/CWShredder.exe][color=blue]CWShredder[/color][/url] And save it to your desktop. Close all open browser windows and any other open windows. Install CWShredder, then: Open CWS and click [b]Check for Updates[/b] Then click [b]"FIX"[/b] [b][2.][/b] Please run at least one of these online scans, allow it to delete anything it finds: You may have to select the auto-fix option prior to scanning, it should be a selection box on the screen. If you are a dial-up user just do one, this can take some time. If you are a broadband user, I would suggest at least 2 of the 3. One extra scan is most often times enough. [list] [url=http://housecall.trendmicro.com/housecall/start_corp.asp][color=blue]TrendMicro HouseCall[/color][/url] [url=http://www.pandasoftware.com/activescan/com/activescan_principal.htm][color=blue]Panda ActiveScan[/color][/url] [url=http://www3.ca.com/virusinfo/virusscan.aspx][color=blue]eTrust AntiVirus Web Scanner[/color][/url] [/list]Please make a note of anything that wasn't or couldn't be fixed. Reboot your machine when finished. [b][3.][/b] You [b]may have[/b] run these programs already, make sure they are up to date and run per provided instructions. Current Versions are: [b]Spybot S&D Ver: 1.3[/b] [url=http://www.safer-networking.org/en/download/index.html][color=blue]Download Here[/color][/url] [b]Ad-Aware SE Build 1.05[/b] [url=http://www.majorgeeks.com/download506.html][color=blue]Download Here[/color][/url] Download and install both Spybot S&D and Ad-Aware SE. Instructions: [b]Spybot S&D:[/b] Go to your Start Menu >> Programs >> Spybot S&D >> then choose Spybot S&D. [b]*[/b]Close [b]ALL [/b]windows except Spybot S&D [b]*[/b]Click the button to [b]"Search for Updates"[/b] and download and install the Updates. [b]*[/b]Close Spybot then launch it again [b]*[/b]Click the button [b]"Check for Problems" [/b] [b]*[/b]When Spybot is done scanning, it will be showing "RED" (RED) entries, "BLACK" entries and "GREEN" (GREEN) entries in the window [b]*[/b]Put a check mark beside the RED [color=red](RED) entries ONLY.[/color] [b]*[/b]Choose "Fix Selected Problems" and allow Spybot to fix the RED [color=red](RED)[/color] entries. [b]Ad-Aware SE FULL SCAN:[/b] Go to your Start Menu >> Programs >> Lavasoft Ad-Aware SE >> then choose Ad-Aware SE Personal. When the main window opens look in the bottom right corner and click on [b]Check For Updates Now[/b] then click Connect and download the latest reference files. From main window: [b]*[/b]Click Start then under Select a scan Mode check [b]Perform Full System Scan.[/b] [b]*[/b]Next [color=red]deselect [/color]Search for negligible risk entries. [b]*[/b]To scan just click the [b]Next[/b] button. When the scan has finished [b]mark everything for removal [/b]and get rid of it. [i](Right-click the window and choose [b]select all[/b] from the drop down menu and click Next)[/i] The program will ask if you want to fix/delete selected items, choose yes/fix. [b][4.][/b] Enable show hidden files and folders: * Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View Tab. * Under the Hidden files and folders heading select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm. * Click OK. [b][5.][/b] [b]Update[/b] your current Virus Scan Definitions: [b][6.][/b] Reboot into Safe Mode and [b]Scan[/b] with Spybot S&D and Ad-Aware SE Then Scan with your Anti-Virus Program [b][7.][/b] Delete your temp files: Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK. Empty Your Recycle Bin. [b][8.][/b] Reboot normally and post a new HJT log by using [b]Post a Reply[/b]: Thanks, rstones12 Posted by: bebe Logfile of HijackThis v1.99.1 Scan saved at 11:42:44 AM, on 3/20/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\CA\Common\Alert\ALERT.EXE C:\Program Files\Cisco VPN\cvpnd.exe C:\WINDOWS\SYSTEM32\DWRCS.EXE C:\CA\eTrust Antivirus\InoRpc.exe C:\CA\eTrust Antivirus\InoRT.exe C:\CA\eTrust Antivirus\InoTask.exe C:\WINDOWS\LogWatNT.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Lotus\Notes\ntmulti.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Compuware\Application Vantage Agent\OPTSA.exe C:\WINDOWS\UMCSTUB.EXE C:\CA\ETRUST~1\realmon.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\uvap9zts\uvap9zts.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\system32\RUNDLL32.exe C:\WINDOWS\system\csnlljpebm.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\Program Files\cisco vpn\vpngui.exe C:\Program Files\Cisco VPN\ipseclog.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Lotus\Notes\NLNOTES.EXE C:\Lotus\Notes\ntaskldr.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.y[/url] ahoo.com/ext/search/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.y[/url] ahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]www.yahoo.com[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.y[/url] ahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.y[/url] ahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]www.yahoo.com[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.y[/url] ahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.y[/url] ahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url]http://support.dell.com/[/url] R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = mobile.gdls.com:8080 R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe O2 - BHO: (no name) - {01DCF4AE-0869-4659-B2F9-528225900273} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_ 7_0.dll O2 - BHO: (no name) - {047A78E9-1DE0-4FEB-9BCC-188D4F714FD6} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {271A6CFE-3CCC-432B-A7D1-359F1917E061} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {2C2D16AC-A4E8-4BAF-98B3-1E0AD957F4E9} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {3735FFB3-4E8B-4B1F-B4FF-D0180B484F0B} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {550B6227-C8E4-41E7-8456-59DB834776A1} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {8EAE4C48-6A24-4FEC-89CE-80F5D31C30E6} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {8FD024EA-E1FE-4CA1-95F1-B0746E544FB9} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {B6107C03-C1EA-4435-BB4F-F5CD188D2F1F} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {BB4F6717-0AED-430B-8D9F-4FE208728AF1} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {C4548599-97B9-4883-BDAB-320145F85D1C} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {E2CB4EF4-BFFE-448C-B0C2-C54A28960D55} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {E6A2EE30-6152-4E98-9103-4D0D2F00BBF4} - C:\Program Files\uvap9zts\uvap9zts.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_ 7_0.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Realtime Monitor] C:\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [CA-AMAgent] \\gdllsdvthshc083\amagents$\amagent.exe O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [uvap9zts] C:\Program Files\uvap9zts\uvap9zts.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16 O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1 O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [eB5tRQH7e] xcoapi32.exe O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup O4 - Global Startup: General Dynamics Land Systems VPN Client.lnk = C:\Program Files\cisco vpn\vpngui.exe O8 - Extra context menu item: &Search - [url]http://bar.mywebsearch.com/menusearch.html?p=ZSYYYYYY99US[/url] O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) O16 - DPF: Hummingbird Business Intelligence - [url]http://biweb/ADYCodebase/hclbimwe.cab[/url] O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - [url]https://imeeting.gdls.com/imtapp/res/jar/cnsload.cab[/url] O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - [url]http://is002011.gdls.com/qp2.cab[/url] O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - [url]http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/[/url] us/win/QuickTimeInstaller.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuw[/url] eb_site.cab?1099510061448 O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - [url]http://ebusiness.gdls.com:8390/jinitiator/oajinit.exe[/url] O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - [url]http://www.alwaysupdatednews.com/install/aun_0032.exe[/url] O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - [url]http://oasss02h.gdls.com:7778/jinitiator/jinit.exe[/url] O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [url]http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab[/url] O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - [url]http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326[/url] O17 - HKLM\System\CCS\Services\Tcpip\..\{961E20D2-AB39-4613-8FF7-01F344052AB0}: Domain = ls.gdls.com O17 - HKLM\System\CCS\Services\Tcpip\..\{EE5A5ABD-8BF6-4364-A0B0-AA9AE9359F02}: Domain = ls.gdls.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ls.gdls.com,gdls.com,cdn.gdls.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ls.gdls.com,gdls.com,cdn.gdls.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ls.gdls.com,gdls.com,cdn.gdls.com O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\CA\Common\Alert\ALERT.EXE O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco VPN\cvpnd.exe O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\CA\eTrust Antivirus\InoTask.exe O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe O23 - Service: ApplicationVantage Agent (VantageAgent) - Compuware - C:\Program Files\Compuware\Application Vantage Agent\OPTSA.exe Posted by: bebe Sorry - I posted the hijack this before I ran the CWS shredder and the other couple scans - I will post agina when complete Posted by: bebe Logfile of HijackThis v1.99.1 Scan saved at 3:00:59 PM, on 3/20/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\CA\Common\Alert\ALERT.EXE C:\Program Files\Cisco VPN\cvpnd.exe C:\WINDOWS\SYSTEM32\DWRCS.EXE C:\CA\eTrust Antivirus\InoRpc.exe C:\CA\eTrust Antivirus\InoRT.exe C:\CA\eTrust Antivirus\InoTask.exe C:\WINDOWS\LogWatNT.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Lotus\Notes\ntmulti.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Compuware\Application Vantage Agent\OPTSA.exe C:\WINDOWS\UMCSTUB.EXE C:\CA\ETRUST~1\realmon.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\uvap9zts\uvap9zts.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\system32\RUNDLL32.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE C:\Program Files\cisco vpn\vpngui.exe C:\Program Files\Cisco VPN\ipseclog.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.y[/url] ahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.y[/url] ahoo.com/ext/search/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]www.yahoo.com[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.y[/url] ahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.y[/url] ahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url]http://support.dell.com/[/url] R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = mobile.gdls.com:8080 R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe O2 - BHO: (no name) - {01DCF4AE-0869-4659-B2F9-528225900273} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_ 7_0.dll O2 - BHO: (no name) - {047A78E9-1DE0-4FEB-9BCC-188D4F714FD6} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {271A6CFE-3CCC-432B-A7D1-359F1917E061} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {2C2D16AC-A4E8-4BAF-98B3-1E0AD957F4E9} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {3735FFB3-4E8B-4B1F-B4FF-D0180B484F0B} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {550B6227-C8E4-41E7-8456-59DB834776A1} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {8EAE4C48-6A24-4FEC-89CE-80F5D31C30E6} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {8FD024EA-E1FE-4CA1-95F1-B0746E544FB9} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {B6107C03-C1EA-4435-BB4F-F5CD188D2F1F} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {BB4F6717-0AED-430B-8D9F-4FE208728AF1} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {C4548599-97B9-4883-BDAB-320145F85D1C} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {E2CB4EF4-BFFE-448C-B0C2-C54A28960D55} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {E6A2EE30-6152-4E98-9103-4D0D2F00BBF4} - C:\Program Files\uvap9zts\uvap9zts.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_ 7_0.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Realtime Monitor] C:\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [CA-AMAgent] \\gdllsdvthshc083\amagents$\amagent.exe O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [uvap9zts] C:\Program Files\uvap9zts\uvap9zts.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1 O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [eB5tRQH7e] xcoapi32.exe O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup O4 - Global Startup: General Dynamics Land Systems VPN Client.lnk = C:\Program Files\cisco vpn\vpngui.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) O16 - DPF: Hummingbird Business Intelligence - [url]http://biweb/ADYCodebase/hclbimwe.cab[/url] O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - [url]https://imeeting.gdls.com/imtapp/res/jar/cnsload.cab[/url] O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - [url]http://is002011.gdls.com/qp2.cab[/url] O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - [url]http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/[/url] us/win/QuickTimeInstaller.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuw[/url] eb_site.cab?1099510061448 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housec[/url] all/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url] O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - [url]http://ebusiness.gdls.com:8390/jinitiator/oajinit.exe[/url] O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - [url]http://www.alwaysupdatednews.com/install/aun_0032.exe[/url] O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - [url]http://oasss02h.gdls.com:7778/jinitiator/jinit.exe[/url] O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [url]http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab[/url] O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - [url]http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326[/url] O17 - HKLM\System\CCS\Services\Tcpip\..\{961E20D2-AB39-4613-8FF7-01F344052AB0}: Domain = ls.gdls.com O17 - HKLM\System\CCS\Services\Tcpip\..\{EE5A5ABD-8BF6-4364-A0B0-AA9AE9359F02}: Domain = ls.gdls.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ls.gdls.com,gdls.com,cdn.gdls.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ls.gdls.com,gdls.com,cdn.gdls.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ls.gdls.com,gdls.com,cdn.gdls.com O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\CA\Common\Alert\ALERT.EXE O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco VPN\cvpnd.exe O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\CA\eTrust Antivirus\InoTask.exe O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe O23 - Service: ApplicationVantage Agent (VantageAgent) - Compuware - C:\Program Files\Compuware\Application Vantage Agent\OPTSA.exe Also here i sthe log from the panda scan that it said it could not fix Incident Status Location Spyware:Spyware/ClearSearch No disinfected C:\Program Files\uvap9zts\uvap9zts.dll Spyware:Spyware/ClearSearch No disinfected C:\Program Files\uvap9zts\uvap9zts.exe Spyware:Spyware/ClearSearch No disinfected C:\PROGRA~1\uvap9zts\uvap9zts.exe Adware:Adware/nCase No disinfected Windows Registry Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\payload2.inf Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\inneradinstall.log Adware:Adware/Transponder No disinfected Windows Registry Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\temp.fr4D66 Adware:Adware/Minibug.A No disinfected C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll Adware:Adware/AdDestroyer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B8B6853B-62E3-4B9F-8459-027868\30E3E32E-0E6F-42F6-B695-AB89A3 Adware:Adware/AdDestroyer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B8B6853B-62E3-4B9F-8459-027868\35FE4DAC-F879-438A-8C85-C9F297 Adware:Adware/AdDestroyer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B8B6853B-62E3-4B9F-8459-027868\36229974-A994-49F5-AFAC-2B012F Spyware:Spyware/ClearSearch No disinfected C:\Program Files\uvap9zts\1pu425cp.DLL Spyware:Spyware/ClearSearch No disinfected C:\Program Files\uvap9zts\e659wudw.DLL Spyware:Spyware/ClearSearch No disinfected C:\Program Files\uvap9zts\ejb6xg6o.DLL Spyware:Spyware/ClearSearch No disinfected C:\Program Files\uvap9zts\ood382iy.DLL Spyware:Spyware/ClearSearch No disinfected C:\Program Files\uvap9zts\uvap9zts.dll Spyware:Spyware/ClearSearch No disinfected C:\Program Files\uvap9zts\uvap9zts.exe Spyware:Spyware/ClearSearch No disinfected C:\Program Files\uvap9zts\uvap9zts1\uvap9zts1.dll Spyware:Spyware/ClearSearch No disinfected C:\Program Files\uvap9zts\uvap9zts1\uvap9zts1.exe Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\BundleOuter2504040406.exe Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\setup4002b.ini Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system\csnlljpebm.exe Spyware:Spyware/ClearSearch No disinfected C:\WINDOWS\system32\Cache\CSv13P108.exe Adware:Adware/FunWeb No disinfected C:\WINDOWS\system32\f3PSSavr.scr Adware:Adware/eZula No disinfected C:\WINDOWS\system32\psis80ex.ax[mscb.dll] Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[cashback.exe] Posted by: bebe FYI - The panda scan had so much junk in it I believe because when I was running the first scan, the popups started fast and furious and that was when all that stuff got in. Once I ran all the other scans alot of stuff got cleaned up. Let me know what things I have left to clean up - Thanks Posted by: rstones12 bebe, Can you post an updated HJT log and we can get started. Thanks, rstones12 Posted by: bebe Thanks so much Sorry - I got off last night - I can send one up tonight after I get home from work. Hopefully will can connect with each other. I am guessing it will be around 8-9 est Thanks again Posted by: bebe Logfile of HijackThis v1.99.1 Scan saved at 7:38:09 PM, on 3/22/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\CA\Common\Alert\ALERT.EXE C:\Program Files\Cisco VPN\cvpnd.exe C:\WINDOWS\SYSTEM32\DWRCS.EXE C:\CA\eTrust Antivirus\InoRpc.exe C:\CA\eTrust Antivirus\InoRT.exe C:\CA\eTrust Antivirus\InoTask.exe C:\WINDOWS\LogWatNT.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Lotus\Notes\ntmulti.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe C:\Program Files\Compuware\Application Vantage Agent\OPTSA.exe C:\WINDOWS\UMCSTUB.EXE C:\WINDOWS\Explorer.EXE C:\CA\ETRUST~1\realmon.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\uvap9zts\uvap9zts.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\system32\RUNDLL32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE C:\Program Files\cisco vpn\vpngui.exe C:\Program Files\Cisco VPN\ipseclog.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.y[/url] ahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.y[/url] ahoo.com/ext/search/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]www.yahoo.com[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.y[/url] ahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.y[/url] ahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url]http://support.dell.com/[/url] R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = mobile.gdls.com:8080 R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe O2 - BHO: (no name) - {01DCF4AE-0869-4659-B2F9-528225900273} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_ 7_0.dll O2 - BHO: (no name) - {047A78E9-1DE0-4FEB-9BCC-188D4F714FD6} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {271A6CFE-3CCC-432B-A7D1-359F1917E061} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {2C2D16AC-A4E8-4BAF-98B3-1E0AD957F4E9} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {3735FFB3-4E8B-4B1F-B4FF-D0180B484F0B} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {550B6227-C8E4-41E7-8456-59DB834776A1} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {8EAE4C48-6A24-4FEC-89CE-80F5D31C30E6} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {8FD024EA-E1FE-4CA1-95F1-B0746E544FB9} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {B6107C03-C1EA-4435-BB4F-F5CD188D2F1F} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {BB4F6717-0AED-430B-8D9F-4FE208728AF1} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {C4548599-97B9-4883-BDAB-320145F85D1C} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {E2CB4EF4-BFFE-448C-B0C2-C54A28960D55} - C:\Program Files\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {E6A2EE30-6152-4E98-9103-4D0D2F00BBF4} - C:\Program Files\uvap9zts\uvap9zts.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_ 7_0.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Realtime Monitor] C:\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [CA-AMAgent] \\gdllsdvthshc083\amagents$\amagent.exe O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [uvap9zts] C:\Program Files\uvap9zts\uvap9zts.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1 O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [eB5tRQH7e] xcoapi32.exe O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup O4 - Global Startup: General Dynamics Land Systems VPN Client.lnk = C:\Program Files\cisco vpn\vpngui.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) O16 - DPF: Hummingbird Business Intelligence - [url]http://biweb/ADYCodebase/hclbimwe.cab[/url] O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - [url]https://imeeting.gdls.com/imtapp/res/jar/cnsload.cab[/url] O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - [url]http://is002011.gdls.com/qp2.cab[/url] O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - [url]http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/[/url] us/win/QuickTimeInstaller.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuw[/url] eb_site.cab?1099510061448 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housec[/url] all/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url] O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - [url]http://ebusiness.gdls.com:8390/jinitiator/oajinit.exe[/url] O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - [url]http://www.alwaysupdatednews.com/install/aun_0032.exe[/url] O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - [url]http://oasss02h.gdls.com:7778/jinitiator/jinit.exe[/url] O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [url]http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab[/url] O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - [url]http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326[/url] O17 - HKLM\System\CCS\Services\Tcpip\..\{961E20D2-AB39-4613-8FF7-01F344052AB0}: Domain = ls.gdls.com O17 - HKLM\System\CCS\Services\Tcpip\..\{EE5A5ABD-8BF6-4364-A0B0-AA9AE9359F02}: Domain = ls.gdls.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ls.gdls.com,gdls.com,cdn.gdls.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ls.gdls.com,gdls.com,cdn.gdls.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ls.gdls.com,gdls.com,cdn.gdls.com O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\CA\Common\Alert\ALERT.EXE O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco VPN\cvpnd.exe O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\CA\eTrust Antivirus\InoTask.exe O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe O23 - Service: ApplicationVantage Agent (VantageAgent) - Compuware - C:\Program Files\Compuware\Application Vantage Agent\OPTSA.exe Posted by: rstones12 bebe, OK, Go to your Start | Control Panel | Add-Remove Programs Remove these programs if found: [b] WeatherBug ViewPoint Manager uvap9zts [/b] Additionally you can remove these as well [b] SpyKiller BestPopUpKiller [/b] I will let you decide for yourself: [url]http://www.spywarewarrior.com/rogue_anti-spyware.htm[/url] Scan with HJT and place a checkmark next to the following items: [b] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://red.clientapps.yahoo.com/cus...6/*[url]http://www.yahoo.com/ext/search/search.html[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://red.clientapps.yahoo.com/cus...6/*[url]http://www.yahoo.com/ext/search/search.html[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://red.clientapps.yahoo.com/cus...6/*[url]http://www.yahoo.com[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://red.clientapps.yahoo.com/cus...6/*[url]http://www.yahoo.com[/url] R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) O2 - BHO: (no name) - {01DCF4AE-0869-4659-B2F9-528225900273} - C:\ProgramFiles\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - 047A78E9-1DE0-4FEB-9BCC-188D4F714FD6} - C:\ProgramFiles\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - 2C2D16AC-A4E8-4BAF-98B3-1E0AD957F4E9} - C:\ProgramFiles\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {3735FFB3-4E8B-4B1F-B4FF-D0180B484F0B} - C:\ProgramFiles\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - 550B6227-C8E4-41E7-8456-59DB834776A1} - C:\ProgramFiles\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - 8EAE4C48-6A24-4FEC-89CE-80F5D31C30E6} - C:\ProgramFiles\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {8FD024EA-E1FE-4CA1-95F1-B0746E544FB9} - C:\ProgramFiles\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - B6107C03-C1EA-4435-BB4F-F5CD188D2F1F} - C:\ProgramFiles\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {BB4F6717-0AED-430B-8D9F-4FE208728AF1} - C:\ProgramFiles\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - C4548599-97B9-4883-BDAB-320145F85D1C} - C:\ProgramFiles\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - E2CB4EF4-BFFE-448C-B0C2-C54A28960D55} - C:\ProgramFiles\uvap9zts\uvap9zts.dll O2 - BHO: (no name) - {E6A2EE30-6152-4E98-9103-4D0D2F00BBF4} - C:\ProgramFiles\uvap9zts\uvap9zts.dll O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\ViewpointManager\ViewMgr.exe O4 - HKLM\..\Run: [uvap9zts] C:\Program Files\uvap9zts\uvap9zts.exe O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16 O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1 O4 - HKCU\..\Run: [eB5tRQH7e] xcoapi32.exe O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe O4 - HKCU\..\Run: [BestPopUpKiller] C:\ProgramFiles\BestPopUpKiller\BestPopupKiller.exe /startup O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) [/b] Close all browsers and open windows except HJT and then click [b]Fix Checked[/b] Enable show hidden files and folders: * Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View Tab. * Under the Hidden files and folders heading select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm. * Click OK. Reboot into Safe Mode, you can do this by tapping on the F8 key while your system starts up. Search your system and remove these folders/files if found. C:\Program Files\[b]Viewpoint\[/b] <-- Folder C:\Program Files\[b]uvap9zts\[/b] <-- Folder C:\PROGRA~1\[b]AWS\[/b] <-- Folder [b]xcoapi32.exe[/b] <-- File [color=red] These Folders as well if you choose to remove them:[/color] C:\Program Files\[b]SpyKiller\[/b] <-- Folder C:\ProgramFiles\[b]BestPopUpKiller\[/b] <-- Folder Scan with your anti-virus software Ad-Aware SE Spybot S&D Remove anything they find. Delete your temp files: Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK. Empty Your Recycle Bin. Reboot normally and post a new HJT log by using Post a Reply: Make sure that you save the log to notepad and copy and paste from there. Thanks, rstones12 Posted by: bebe Thanks - scans are in process on the affected machine - will post hijack this log when complete Posted by: bebe Logfile of HijackThis v1.99.1 Scan saved at 10:41:57 PM, on 3/22/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\CA\Common\Alert\ALERT.EXE C:\Program Files\Cisco VPN\cvpnd.exe C:\WINDOWS\SYSTEM32\DWRCS.EXE C:\CA\eTrust Antivirus\InoRpc.exe C:\CA\eTrust Antivirus\InoRT.exe C:\CA\eTrust Antivirus\InoTask.exe C:\WINDOWS\LogWatNT.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Lotus\Notes\ntmulti.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe C:\Program Files\Compuware\Application Vantage Agent\OPTSA.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\UMCSTUB.EXE C:\CA\ETRUST~1\realmon.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\Program Files\cisco vpn\vpngui.exe C:\Program Files\Cisco VPN\ipseclog.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINDOWS\system32\wuauclt.exe C:\HJT\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]www.yahoo.com[/url] R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url]http://support.dell.com/[/url] R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = mobile.gdls.com:8080 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_ 7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_ 7_0.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Realtime Monitor] C:\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [CA-AMAgent] \\gdllsdvthshc083\amagents$\amagent.exe O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 4.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - Global Startup: General Dynamics Land Systems VPN Client.lnk = C:\Program Files\cisco vpn\vpngui.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: Hummingbird Business Intelligence - [url]http://biweb/ADYCodebase/hclbimwe.cab[/url] O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - [url]https://imeeting.gdls.com/imtapp/res/jar/cnsload.cab[/url] O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - [url]http://is002011.gdls.com/qp2.cab[/url] O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - [url]http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/[/url] us/win/QuickTimeInstaller.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuw[/url] eb_site.cab?1099510061448 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housec[/url] all/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url] O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - [url]http://ebusiness.gdls.com:8390/jinitiator/oajinit.exe[/url] O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - [url]http://www.alwaysupdatednews.com/install/aun_0032.exe[/url] O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - [url]http://oasss02h.gdls.com:7778/jinitiator/jinit.exe[/url] O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [url]http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab[/url] O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - [url]http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326[/url] O17 - HKLM\System\CCS\Services\Tcpip\..\{961E20D2-AB39-4613-8FF7-01F344052AB0}: Domain = ls.gdls.com O17 - HKLM\System\CCS\Services\Tcpip\..\{EE5A5ABD-8BF6-4364-A0B0-AA9AE9359F02}: Domain = ls.gdls.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ls.gdls.com,gdls.com,cdn.gdls.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ls.gdls.com,gdls.com,cdn.gdls.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ls.gdls.com,gdls.com,cdn.gdls.com O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\CA\Common\Alert\ALERT.EXE O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco VPN\cvpnd.exe O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\CA\eTrust Antivirus\InoTask.exe O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe O23 - Service: ApplicationVantage Agent (VantageAgent) - Compuware - C:\Program Files\Compuware\Application Vantage Agent\OPTSA.exe Posted by: rstones12 bebe, Things look good are having anymore issues?? Thanks, rstones12 Posted by: bebe My intial tests looked good. I will look at it more indepth today. Can you tell me what that uvap9zts was. I kind of thought that was one of the issues. I ddi remove weatherbug although I have had it on my PC for quite some time without any issues Posted by: rstones12 bebe, The [b]uvap9zts[/b] is called a BHO (Browser Helper Object). Sometime they are good and sometime they are bad :beard: The system could have gotten infected in a few ways, hard to tell exacty. Run your system for a while and see if you are having any issues. Thanks, rstones12 Posted by: bebe So far so good - :D - Thanks so much for the help, Can you tell me how I should have my active x controls set to help prevent unwanted downloads Posted by: rstones12 I would start here since you are using IE. It will give you more information about activeX controls as well as other security tips. [url]http://www.microsoft.com/windows/ie/default.mspx[/url] Hope that helps. rstones12 ;) Posted by: Warez Monster Remove entries at your own risk O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - This entry is possibly nasty. Should be fixed. vBulletin Copyright ©2000 - 2003, Jelsoft Enterprises Limited. PPC Management vB Easy Archive Final - Created by Xenon |