My HijackThis Log, Please advise! (merged)

Discussion in 'adware, spyware & hijack cleaning' started by con4mity, Jun 23, 2004.

Thread Status:
Not open for further replies.
  1. con4mity

    con4mity Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    10
    My HijackThis Log, Please advise!

    Mod Note: Member posted a more recent hijackthis log (see post #4) now merged with this thread - snap



    My system suddenly started having advertising coniptions. But now, nothing works to fix them, regedit, notepad, all of those stopped working.

    Thanks in advance, :ninja: con4mity

    Logfile of HijackThis v1.97.7
    Scan saved at 9:56:45 AM, on 6/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\ISTsvc\istsvc.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\system32\arpa.exe
    C:\WINDOWS\services.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Application Data\epaa.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {623AB228-F83E-49D5-8C89-7D17C0347D82} - C:\WINDOWS\System32\klfa.dll
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem218.dll
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem218.dll
    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ussshreg] C:\PROGRA~1\ULEADS~1.0\Ussshreg.exe /r
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
    O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
    O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\wbem\svchost.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Lran] C:\Documents and Settings\Administrator\Application Data\epaa.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://*.flingstone.com
    O15 - Trusted Zone: http://*.mt-download.com
    O15 - Trusted Zone: http://*.xxxtoolbar.com
    O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37895.7853009259
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
     
    Last edited by a moderator: Jun 25, 2004
  2. con4mity

    con4mity Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    10
    Re: My HijackThis Log, Please advise!

    If you could just guide me to remove enough so that I can download again, I could then get the adware, and s.b.bot, then my log won't be so gross.

    Same log, haven't done anything yet.
     
  3. con4mity

    con4mity Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    10
    Re: My HijackThis Log, I'm being hijacked!

    I finally was able to run adaware and the search and destroy. But I still have this stupid purity scan, and something else running that I just can't get rid of. It is somehow blocking me from running regedit, or deleted it.

    here's my log: thanks

    Logfile of HijackThis v1.97.7
    Scan saved at 5:03:08 PM, on 6/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\rsxnee.exe
    C:\WINDOWS\system32\wbem\svchost.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Documents and Settings\Administrator\Application Data\epaa.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\NDrv.exe
    C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ussshreg] C:\PROGRA~1\ULEADS~1.0\Ussshreg.exe /r
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [wjihktzzgyz] C:\WINDOWS\System32\rsxnee.exe
    O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
    O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
    O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\wbem\svchost.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Lran] C:\Documents and Settings\Administrator\Application Data\epaa.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\System32\NDrv.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O15 - Trusted Zone: http://*.mt-download.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37895.7853009259
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. con4mity

    con4mity Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    10
    I need some serious help!

    I've posted before but think I did it wrong. I have run Adaware 6, and it removed 49 objects, I ran Search & Destroy and it found IST.Search and fixed, but no matter what I try, if I run notepad, or regedit, something reinstalls itself, takes over my homepage about:blank, runs a purity scan session, and then adds fake services.exe, csrss.exe, and other files.

    Please help if you can, my system seems to be getting worse. Now I get a Windows Error Service pop-up that takes my browser somewhere stupid, eurosport.com

    Logfile of HijackThis v1.97.7
    Scan saved at 2:32:48 PM, on 6/25/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\NDrv.exe
    C:\WINDOWS\system32\arpa.exe
    C:\WINDOWS\services.exe
    C:\Documents and Settings\Administrator\My Documents\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\arpa.exe
    C:\WINDOWS\system32\bhui.exe
    C:\WINDOWS\system32\arpa.exe
    C:\WINDOWS\system32\bhui.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Application Data\epaa.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dll
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
    O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [WTSI] C:\WINDOWS\System32\wapisvit.exe
    O4 - HKCU\..\Run: [Lran] C:\Documents and Settings\Administrator\Application Data\epaa.exe
    O15 - Trusted Zone: http://*.mt-download.com
    O15 - Trusted Zone: http://*.xxxtoolbar.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37895.7853009259
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  5. con4mity

    con4mity Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    10
    Please let me know if I'm doing this wrong, no one answers my posts.
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Con4mity,

    Download CWShredder as you will need it in a later step.

    Please go off line (disconnect from the internet). You may want to print these instructions out first.

    Then bring up TaskManager (ctrl+alt+del keys) and if you can, try and end the running processes for these:

    NDrv.exe
    rsxnee.exe
    arpa.exe
    bhui.exe
    epaa.exe


    Create a permanent folder on your C: drive and move HijackThis into it. Hijackthis should run from it's own folder as it will create backups of what it deletes in that folder. This way you can find them easily if you need to put anything back.

    Make sure you have Hidden Files and Folders Viewable
    Click Start > My Computer >Select the Tools menu >click Folder Options >Select the View Tab.
    Under the "Hidden files and folders" heading, select Show hidden files and folders.
    UN-check the "Hide protected operating system files (recommended)" option.
    Then click Yes.


    Reboot your computer into Safe Mode by tapping the F8 key just before windows begins to load

    Place a check beside the following items in HijackThis.
    Close all windows except HijackThis, and click *Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dll

    O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
    O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
    O4 - HKCU\..\Run: [WTSI] C:\WINDOWS\System32\wapisvit.exe
    O4 - HKCU\..\Run: [Lran] C:\Documents and Settings\Administrator\Application Data\epaa.exe

    O15 - Trusted Zone: http://*.mt-download.com
    O15 - Trusted Zone: http://*.xxxtoolbar.com

    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab

    Find and delete the following ONLY in the locations below. Be very careful not to delete the legitimate files as listed inbetween the brackets.
    C:\WINDOWS\system32\arpa.exe
    C:\WINDOWS\system32\bhui.exe
    C:\WINDOWS\System32\rsxnee.exe
    C:\WINDOWS\System32\NDrv.dll
    C:\WINDOWS\System32\wapisvit.exe
    C:\Documents and Settings\Administrator\Application Data\epaa.exe

    (the legitimate svchost.exe is in the System32 folder)
    C:\WINDOWS\system32\wbem\svchost.exe

    (the legitimate csrss.exe is in the System32 folder)
    C:\WINDOWS\System32\drivers\csrss.exe

    (the legitimate services.exe is in the System32 folder)
    C:\WINDOWS\services.exe
    C:\WINDOWS\System32\inetsrv\services.exe


    Also, these files are not showing yet, but are part of this infection. Please look for the files listed below, and if present in the exact locations as I've listed, then delete them if found.
    To make sure you are deleting the malware files, you can check the file's properties first. Right-click on the file (do not left-click it) and choose "Properties", then look under the Version tab and you should see the Product Name and you should see the "Microsoft Windows Operating System" name. If you don't, then you know it isn't the legitimate system file.

    ( the legitimate ping.exe is in the C:\Windows\System32 folder.)
    C:\Windows\System32\wbem\ping.exe

    (the legitimate regedit.exe is in the C:\Windows folder.)
    C:\Windows\System\regedit.exe
    C:\Windows\System32\regedit.exe

    C:\Windows\System32\inetsrv.exe <-- you want to delete the .exe file, but do not delete the inetsrv Folder.
    C:\Windows\iinstall.exe <--- do a search for this file, if found, delete it.

    Can you also tell me if there is a folder called AU Temp in the C:\Windows folder. There is a legitimate AUTemp folder in the C: drive, but not in the C:\Windows folder, at least not on my XP-Home, that is why I am asking.

    _____

    Now run CWShredder.
    Click the *Fix button, and follow the instructions you receive from the program.

    Then delete the contents of your Temp folders:
    C:\documents and settings\Administrator or username\local settings\temp\ <---delete all files and folders in it, but not the temp folder itself.
    C:\Windows\Temp\ <--- delete all the files in it, except for the Cookies, History, and Temporary Internet Files folders.

    Then empty the Recycle Bin.

    While still in safe mode, follow up with a scan using both Spybot Search&Destroy and AdAware6 (make sure you have brought them up-todate).

    ____

    Finally, reboot your computer normally and go back on-line.

    Go to Microsoft's Update Site and make sure you have installed ALL Critical Updates listed for XP and IE6 installed.

    Do a FULL system scan at one of these on-line scan sites: Free Services.

    Then post another hijackthis log here in this thread to be checked because some of these files are known to change their names, and we want to see if we've caught them all..

    Regards,

    snap

    If you are in any doubt, please post back with any question, but do not reboot your computer as the files change their name upon each reboot.
     
    Last edited: Jun 26, 2004
  7. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    con4mity, if you can, please zip up a copy of the files I've listed in bold (password protect the zipped copy and use the word infected as the password) and email the zipped copy of the files to pieterATwilderssecurity.org (replace the AT with an @) for analysis. In the body of the email message, state that the password is "infected" and include a link to this thread, so Pieter will be able to find it easily.

    Also send a zipped copy of them to submit@diamondcs.com.au for analysis, so they can add them for detection.

    You may have to send separate zipped copies of the files that have the same name.

    Thank you,

    snap
     
  8. con4mity

    con4mity Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    10
    snap, thanks a bunch! I'm sorry about my delays, but once I turned off my net to do your bidding, it was #$!! to pay to get back online.

    Everytime I went to run the HiJackThis program, which this maliceware must indirectly effect my system would go into coniptions and reboot, die, swear, and stop.

    I finally realized it was because notepad.exe and other files had been comprimised and when you click Save Log in HiJackThis, it runs notepad, or something to display the log. Ouch.

    Anyway, I seem to be worse off then before but many of the files you wanted me to send were not there. And during all my reboots this bugger has taken on many different names, and also installed many different programs to cause havoc.

    I have done everything you asked, if it was possible, not all of it was. I did it in Safe Mode, and then again rain Adaware, and Search & Destroy after reboot.

    CWShredder, said I was clean in Safe Mode
    Search & Destroy said (In safe mode and normal mode) that I had;
    Istbar.Sloth, and couldn't fix it.
    DyFuCa, and couldn't fix it.
    and DSO.Exploit, which it says it fixed, but it's always there if I scan again. (This I think may just be a program error, and not really something wrong, but... who knows.)

    Of the programs mentioned:
    NDrv.exe
    rsxnee.exe
    arpa.exe
    bhui.exe
    epaa.exe

    Some of them I could kill, some I couldn't. AFter reboot none where available, though some have now come back, and if you still want something let me know I'll pack whatever you want up. Check my log again though as you're right they have different names.

    I tracked down all the files you said to and deleted them but services.exe in the C:\Windows folder could not be deleted, and I could not stop the process.

    ping.exe was not in the wbem folder.
    I found iinstall.exe in C:\Windows\Temp and deleted it.
    inetsrv.exe was not in the C:\Windows\System32 folder
    There is an AU_Temp in the C:\Windows\AU_Temp and it looks like it has some nasty stuff in it.

    You said:
    "Then delete the contents of your Temp folders:
    C:\documents and settings\Administrator or username\local settings\temp\"

    But, I got a lot of errors in Safe Mode and couldn't get everything out.

    I've scanned and show clean on everything, but still I get the following types of attacks:

    windows error service pop-up telling me I have spyware and I can get a scanner by clicking okay.

    And a eurosport.com popup every so often taking me to that address.

    Here's my new log, and thanks for your assistance.

    Logfile of HijackThis v1.97.7
    Scan saved at 1:35:04 PM, on 6/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\cmd.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\arpa.exe
    C:\WINDOWS\services.exe
    C:\WINDOWS\system32\bhui.exe
    C:\Documents and Settings\Administrator\Application Data\epaa.exe
    C:\HiJackThis\HijackThis.exe

    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
    O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
    O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\wbem\svchost.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [Lran] C:\Documents and Settings\Administrator\Application Data\epaa.exe
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O15 - Trusted Zone: http://*.mt-download.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37895.7853009259
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
     
  9. con4mity

    con4mity Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    10
    P.S. Yes the above log is a result of following your steps but I can see that most of the things you told me to fix have been added again. I've tried the steps again, but prior to getting a new log the infections return.
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi con4mity,

    Please download and install: http://www.diamondcs.com.au/index.php?page=regprot

    After installing the application will ask permission for several startup keys in the registry.

    Deny permission for these if you get a chance:
    NAME=SuperBar.Component
    DATA=services.exe

    NAME=AdRotator.Application
    DATA=csrss.exe

    NAME=[{357AA41A-B7A8-4632-A27D-5B980B25CF43}]
    DATA=svchost.exe

    NAME=Lran
    DATA=epaa.exe

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)

    O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
    O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
    O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\wbem\svchost.exe

    O4 - HKCU\..\Run: [Lran] C:\Documents and Settings\Administrator\Application Data\epaa.exe

    O15 - Trusted Zone: http://*.mt-download.com

    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

    Then reboot into safe mode and delete:
    C:\Documents and Settings\Administrator\Application Data\epaa.exe
    C:\WINDOWS\system32\wbem\svchost.exe
    C:\WINDOWS\system32\inetsrv\services.exe
    C:\WINDOWS\system32\drivers\csrss.exe
    C:\WINDOWS\system32\arpa.exe

    If at any point Regprot warns you about new startups read carefully untill you know what it is asking of you. You are in no rush.

    Regards,

    Pieter
     
  11. con4mity

    con4mity Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    10
    Well, I thought that worked, everything was looking good, until I opened HiJackThis, and scanned, (at this point everything looked great, but) and then tried to save the log, it saved it, but it also started all the stuff again. I watched the little hour glass go to town.

    Then I scanned again, and I see it's all back.

    What could be causing it to run when I use HiJackThis?

    Of course if I run just notepad from the RUN box it does it also:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:54:32 PM, on 6/28/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HiJackThis\HijackThis.exe
    C:\WINDOWS\system32\arpa.exe
    C:\WINDOWS\services.exe
    C:\WINDOWS\system32\bhui.exe

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
    O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
    O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\wbem\svchost.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O15 - Trusted Zone: http://*.xxxtoolbar.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37895.7853009259
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi con4mity,

    That sounds as if notepad.exe was replaced by an infecting file. Not very original but not less annoying and effective.

    Can you find C:\WINDOWS\System32\notepad.exe and C:\WINDOWS\notepad.exe
    Zipe them up in differently labelled files so I know which one came from where and send them to pieterATwilderssecurity.org (replace AT with @)

    Then copy C:\WINDOWS\System32\dllcache\notepad.exe and replace the copies above with that one.
    The dllcache folder will probably be hidden.

    To "unhide" hidden files and folders:
    Launch My Computer from the Desktop Icon.
    Select View, Details.
    Select the Folders button.
    Select Tools, Folder Options. Then select the View Tab. Select the Show hidden files and folders radio button is selected
    and that the Hide file extensions for known file types check box is unchecked. Once this is done, select Apply and then
    Like Current Folder (located near the top of the Folder Options box). Then select OK.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
    O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
    O4 - HKLM\..\Run: [{357AA41A-B7A8-4632-A27D-5B980B25CF43}] C:\WINDOWS\system32\wbem\svchost.exe

    O15 - Trusted Zone: http://*.xxxtoolbar.com

    Reboot into safe mode and delete:
    C:\WINDOWS\system32\inetsrv\services.exe
    C:\WINDOWS\system32\drivers\csrss.exe
    C:\WINDOWS\system32\wbem\svchost.exe
    C:\WINDOWS\system32\arpa.exe
    C:\WINDOWS\system32\bhui.exe

    Regards,

    Pieter
     
  13. con4mity

    con4mity Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    10
    Hey Now! This is looking much better I think. I did everything mentioned, plus some of the stuff again mention in the first response from Snap, empty temps folders and such.

    And so far... well, it's not installing itself yet. I'll follow-up on this if it acts up some more.

    Is it possible the regedit.exe could have the same problem as notepad.exe did?

    Thanks for everything, who do I pay?
    Corey
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi con4mity,

    Sounds good. :cool:

    What makes you think regedit.exe was replaced as well?

    Regards,

    Pieter
     
  15. con4mity

    con4mity Registered Member

    Joined:
    Jun 23, 2004
    Posts:
    10
    Because running it from the Run dialog box seems to also initiate some type of install.

    Note that running it as c:\windows\regedit.exe doesn't, but just regedit does, it was the same with notepad.

    But, My system is greatly improved. I mean I still seem to have some extra lag online, but I can't really see anything that might be causing it.

    Here is my final HiJackThis log and as I said my system seems much better, no pop-ups, hijacks, and major lag.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:12:41 PM, on 6/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\hijackthis\HijackThis.exe

    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37895.7853009259
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    Thanks again,
    Corey
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Just a thought.

    Do a Find Files for regedit.*
    I would not be surprised if regedit.com or something similar would turn up.

    And this one is known to be a waste of resources:
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.