HijackThis Log file, need help against ware

Discussion in 'adware, spyware & hijack cleaning' started by Orange, Jun 24, 2004.

Thread Status:
Not open for further replies.
  1. Orange

    Orange Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    5
    This was my most recent log file:
    Logfile of HijackThis v1.97.7
    Scan saved at 6:22:37 PM, on 6/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Winamp5\winampa.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\CTSvcCDA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Trillian\trillian.exe
    C:\Documents and Settings\MBrady\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by99fd.bay99.hotmail.msn.com...4b29a11&fti=yes
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp5\winampa.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/gam...nts/y/et1_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/gam...ts/y/potc_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...ector/swdir.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_41.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab

    I decided to fire up the old hijackthis when i noticed bizarre internet explorer instances opening on their own, and my comp started crashing with the error "Windows application failed to initialize (0cx000000005)" or something. Im pretty sure sghpb.exe must be spyware related, help if you have time. Thanks a ton.
     
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi Orange

    Nope - belongs to: C:\Program Files\SpywareGuard\sgbhp.exe

    I really can't see anything "not normal" - maybe this one:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by99fd.bay99.hotmail.msn.com...4b29a11&fti=yes

    looks "funny" to me - but I don NOT have hotmail. Is that the correct Start Page??

    How about running:

    Download Ad-aware from here: http://www.computercops.biz/downloads-file-292.html
    Install by double-clicking on the downloaded file.
    After installing but before running, update Ad-aware by using its Globe icon.
    After updating, shutdown and restart Ad-aware.
    Ad-aware is ready to scan and clean your system following these steps:

    Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    "Unload recognized processes during scanning."
    Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    "Let Windows remove files in use after reboot."
    Press "Scan Now"
    Check option "Use Custom scanning options"
    Check option "Activate In-Depth Scan"
    Press "Select drives\folders to scan"
    Select the active partition which is usually C:
    Press "Next" to let Ad-aware scan your drives...
    If it finds "bad" files and registry keys, press "Next" again
    Right-click in that pane and choose "select all"
    Press "next"
    When it asks to remove all checked items, Press "OK"
    Close Ad-aware, reboot your system and go on to Step 2 below.


    Spybot S&D
    The download for Spybot S&D is available here: http://www.computercops.biz/downloads-file-108.html

    Install by double-clicking on the downloaded file.
    Run Spybot S&D from desktop icon or Start menu.
    Press "Search for updates" button to get list of updates available.
    Press "Download updates" button.
    Close all IE windows and close & restart Spybot S&D.
    Press "Check for problems" button.
    Have SpyBot remove all it marks in red by pressing "Fix selected problems".

    Close Spybot S&D, reboot your system

    Empty your Temporary Internet Files and history in Internet Options. And clean out your
    %Userprofile%\Local Settings\Temp
    folder. It's a good idea to do that regularly.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Pls. post another log.
     
  3. Orange

    Orange Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    5
    Thanks a lot, yea that was dumb of me, if had just looked at it i would have realized it belonged to spywareguard. And yes that is the normal start page, that just auto loads to my mailbox. I had adaware and spybot running with all those preferences before, and I did again what you said, we shall see if it removes it. To give a little more information i get regular invisible pop ups, i'll hear the link click and then upon accessing task-manager I will see that an instance of IE has opened, titled either microsoft-corp256 (random number) or could not load. It has given me some problems lately in that memory and programs have problems being read or initializing causing some total freezes and crashes which are less than pleasant. Sinne I'm not very good with this sort of thing I cannot draw a true line of cause and effect between spyware and the problems I am experiencing now, but past experience and the emmergence of these problems coinciding with the evident pop ups and odd sypmtoms of spy or mal ware leads me to believe that there is a corrolation. Also out of curiousity, what is pointer or point32.exe? I am assuming it is software related to my mouse. Adaware picked up a few things as usual, all spybot picked up was Windows Media Player though. I did what you told me too. The only other information I can give you is that at some times when I'm not doing anything my computer will make a lot of noise like it's thinking really hard, and sometimes now when I shut down my comp, there are things like eejqp.exe that need to be ended now since they won't respond, and I could be wrong but I generally associate nonsense strings of letters or words with spyware. Thanks for your time and here's my log.

    Logfile of HijackThis v1.97.7
    Scan saved at 12:30:39 PM, on 6/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Winamp5\winampa.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Steam\Steam.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\CTSvcCDA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\MBrady\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by99fd.bay99.hotmail.msn.com...01&a=5ff0ad4d0446be30a5190d3e44b29a11&fti=yes
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp5\winampa.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
     
  4. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi Orange

    No problem, we are ALL human :)

    point32.exe
    Program Title: Microsoft IntelliPoint Software
    Rating: 3 ( Users Choice (application need to be run at startup, but is not system critical) )
    Comments: Provides several extensions (e.g. mouse button 4 and 5) to be used with a Microsoft IntelliPoint mouse.

    steam - steam.exe - Process Information
    Process File: steam or steam.exe
    Process Name: Steam
    Description: Program used to test update and patches for Half-Life Valve game.
    Company: GameSpy Industries
    System Process: No
    Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
    Common Errors: N/A

    Optional - not needed at startup:

    Optional:
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    Have a look - is up to you if you want to disable the above at startup - NOT point32.exe though, as you need it at startup.

    Otherwise I can NOT find anything.

    How about - you also install:

    a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
    b. SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html
     
  5. Orange

    Orange Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    5
    Yea actually I have both of those programs. Also out of curiousity, I have taken realshcedule and qttask off of startup inumerable times, and they keep adding themselves back on eventually, what am I doing wrong? And I totally believe that you can't find anything, nothing looks wrong there to me either, (not as if i know what i'm doing) but still I'm not really sure what's up with these pop-ups and such. Ah well. Pretty soon I'm buying myself a laptop, just have to hold out a little longer! Thanks a ton. Oh and as for virus scanning software and such, is there a favorite program you might suggest because I do partake of the p2p networks and I recognize the possibity of infection through that vector. And here is just my residual log for yucks.

    Logfile of HijackThis v1.97.7
    Scan saved at 5:14:35 PM, on 6/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Winamp5\winampa.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Steam\Steam.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\CTSvcCDA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\MBrady\Desktop\hijackthis\HijackThis.exe
    C:\Documents and Settings\MBrady\Desktop\hijackthis\HijackThis.exe
    C:\Program Files\Trillian\trillian.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by99fd.bay99.hotmail.msn.com...01&a=5ff0ad4d0446be30a5190d3e44b29a11&fti=yes
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp5\winampa.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
     
  6. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi :)

    because I do partake of the p2p networks - yeah well..... .. this way you are asking for trouble :rolleyes:

    No, unfortunately I can NOT tell which AV should be the best for your use :(
    Can only tell keep your AV up-to-date - run an on-line scan to have a "second opinion". Run ad aware and spybotd&D regularly and keep it up-to-date. Having XP - a firewall is a MUST and don't forget to get ALL critical Microsoft updates!

    Regarding the startup items - have a look here:

    http://www.pacs-portal.co.uk/startup_content.php

    Happy Safe Computing !
     
  7. Orange

    Orange Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    5
    I swear there must be something. I am getting pop-ups for things called gaz-prom and then weird things like my task manager having errors and crashing. Sorry to bother you but what is this all about?
     
  8. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Orange,

    pls. run HJT again and post a new log. Will have a look if something shows up.
     
  9. Orange

    Orange Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    5
    Here it is. I also found and removed some virus stuff, but the problem persists and gets worse. I think it may soon be time for a reformat, I'll lose a bunch of stuff that can't really be backed up but whatever. Here's the log. Thanks.

    Logfile of HijackThis v1.97.7
    Scan saved at 4:42:16 PM, on 6/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTSvcCDA.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Winamp5\winampa.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Trillian\trillian.exe
    C:\Program Files\Winamp5\winamp.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\MBrady\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by99fd.bay99.hotmail.msn.com...01&a=5ff0ad4d0446be30a5190d3e44b29a11&fti=yes
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp5\winampa.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
     
  10. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    HI Orange

    First update or download CWShredder to version 1.59.1
    CWShredder (http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe)
    Use the Fix button and follow the instructions you will receive.

    Let's see if that helps.

    Then reboot and use AdAware as described here:
    https://www.wilderssecurity.com/showthread.php?t=15913

    Go here and get one of the free trials of an Anti Trojan and scan for Trojans.
    http://www.wilders.org/anti_trojans.htm

    Empty your Temporary Internet Files and history in Internet Options. And clean out your
    %Userprofile%\Local Settings\Temp
    folder.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Pls. post another log.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.