Please help

Discussion in 'adware, spyware & hijack cleaning' started by Braincramp, Jun 8, 2004.

Thread Status:
Not open for further replies.
  1. Braincramp

    Braincramp Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    5
    Hi I run spybot, adaware and spysweeper. I also use norton antivirus and norton firewall. I did an on line scan through microtrend housecall. and it says I have several trojens...
    Stilen.a small.iq siboco.a small.xl and revop.a
    Why doesn't norton stop them I keep it updated?
    I ran hijack this, I would really appreciate any help you can give thank you

    Logfile of HijackThis v1.97.7
    Scan saved at 10:59:07 AM, on 6/8/2004
    Platform: Unknown Windows (WinNT 5.02.3790)
    MSIE: Internet Explorer v6.00 (6.00.3790.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\system32\Dfssvc.exe
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\lvxb.exe
    C:\WINDOWS\apfotk.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\documents and settings\administrator\local settings\temp\M8.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
    C:\WINDOWS\system32\sentutle.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.itsyourturn.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.itsyourturn.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.itsyourturn.com/
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\system32\mskhhe.dll
    O2 - BHO: (no name) - {6E17DC85-1BAF-44B0-A333-F314BFB014D9} - C:\WINDOWS\jvaqktkfu.dll
    O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\system32\msedah.dll
    O2 - BHO: (no name) - {F527AC42-6DC6-4D7B-A92D-678D07F27073} - C:\WINDOWS\ngxmpdni.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [dzetf] C:\WINDOWS\lvxb.exe
    O4 - HKLM\..\Run: [tcxcbgh] C:\WINDOWS\apfotk.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [M8.exe] C:\documents and settings\administrator\local settings\temp\M8.exe
    O4 - HKLM\..\Run: [sentutle] C:\WINDOWS\system32\sentutle.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38087.9470486111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/roing.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Braincramp,

    Is that SP2 you are running?
    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These will now end up on your desktop.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\system32\mskhhe.dll
    O2 - BHO: (no name) - {6E17DC85-1BAF-44B0-A333-F314BFB014D9} - C:\WINDOWS\jvaqktkfu.dll
    O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\system32\msedah.dll
    O2 - BHO: (no name) - {F527AC42-6DC6-4D7B-A92D-678D07F27073} - C:\WINDOWS\ngxmpdni.dll

    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)

    O4 - HKLM\..\Run: [dzetf] C:\WINDOWS\lvxb.exe
    O4 - HKLM\..\Run: [tcxcbgh] C:\WINDOWS\apfotk.exe

    O4 - HKLM\..\Run: [M8.exe] C:\documents and settings\administrator\local settings\temp\M8.exe
    O4 - HKLM\..\Run: [sentutle] C:\WINDOWS\system32\sentutle.exe

    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/roing.cab

    Then reboot into safe mode and delete:
    C:\WINDOWS\lvxb.exe
    C:\WINDOWS\apfotk.exe

    Then (still in safe mode) use the Disk Cleanup Utility to empty all your Temp folder.

    Post a new log when you are done, so we can see if everything worked out as planned.

    Regards,

    Pieter
     
  3. Braincramp

    Braincramp Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    5
    I am running Spybot 1.2 and spyblaster 3.1
    thank you for the easy to follow directions, hopefully it worked, so far there were not any popups...
    here is the new log

    Logfile of HijackThis v1.97.7
    Scan saved at 2:07:54 PM, on 6/8/2004
    Platform: Unknown Windows (WinNT 5.02.3790)
    MSIE: Internet Explorer v6.00 (6.00.3790.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\system32\Dfssvc.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\esetr.exe
    C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.itsyourturn.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.itsyourturn.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.itsyourturn.com/
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [esetr] C:\WINDOWS\system32\esetr.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38087.9470486111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi braincramp,

    I'm afraid we have one "namechanger"
    O4 - HKLM\..\Run: [esetr] C:\WINDOWS\system32\esetr.exe
    If you have rebooted it will have changed it's name again.
    I will need a fresh log, so please post that when you read this and do not reboot untill someone answers.
    The idea is to kill the process in TaskManager, then delete the file and then Fix the entry in HijackThis.

    Regards,

    Pieter
     
  5. Braincramp

    Braincramp Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    5
    sorry about rebooting here is the new log
    Logfile of HijackThis v1.97.7
    Scan saved at 7:51:42 AM, on 6/15/2004
    Platform: Unknown Windows (WinNT 5.02.3790)
    MSIE: Internet Explorer v6.00 (6.00.3790.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\system32\Dfssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    No problem, but the one you posted now is a bit short. ;)

    Regards,

    Pieter
     
  7. Braincramp

    Braincramp Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    5
    Sorry I tried to post before I left for work
    Here it is again


    Logfile of HijackThis v1.97.7
    Scan saved at 4:49:06 PM, on 6/15/2004
    Platform: Unknown Windows (WinNT 5.02.3790)
    MSIE: Internet Explorer v6.00 (6.00.3790.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\system32\Dfssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\asmontrr.exe
    C:\PROGRA~1\MICROS~1\Office\OUTLOOK.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.itsyourturn.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.itsyourturn.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.itsyourturn.com/
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [asmontrr] C:\WINDOWS\system32\asmontrr.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38087.9470486111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Braincramp,

    We are having a timezone problem here. ;)

    Please download and install Regprot from http://www.diamondcs.com.au/index.php?page=regprot

    After install it will prompt you for permission on some programs that are already istalled. Allow those.

    Then run HijackThis and look at this section:
    Code:
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [asmontrr] C:\WINDOWS\system32\asmontrr.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    
    You will notice there is another one between the JavaUpdate and SpySweeper.
    Fix that line with HijackThis and deny permission for everything that Regprot warns you about afterwards.

    Then reboot and delete the file the line pointed to. (In the example that would be C:\WINDOWS\system32\asmontrr.exe , but it will have changed it's name again)

    Then make another log and post it.

    Regards,

    Pieter
     
  9. Braincramp

    Braincramp Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    5
    Sorry for the delay... I am hoping this is it.. thank you very much I appreciate your help


    Logfile of HijackThis v1.97.7
    Scan saved at 9:22:08 PM, on 6/17/2004
    Platform: Unknown Windows (WinNT 5.02.3790)
    MSIE: Internet Explorer v6.00 (6.00.3790.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\system32\Dfssvc.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
    C:\WINDOWS\System32\svchost.exe
    C:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.itsyourturn.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.itsyourturn.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.itsyourturn.com/
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38087.9470486111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
Thread Status:
Not open for further replies.