Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Hijack this Log - Please Help


  • This topic is locked This topic is locked
6 replies to this topic

#1 jwalkin

jwalkin

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 01 July 2005 - 07:43 AM

My desktop now says:

Posted Image

It will not allow me to change the wallpaper manually. I ran SpyBot and Adaware with no luck.

Here is my HiJack this log:

Logfile of HijackThis v1.99.1
Scan saved at 9:38:44 AM, on 7/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\SIGMA\Photo Pro\SIGMA_AutoLaunch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\data\apps\hijack\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [DpAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Webroot Spy Sweeper, Enterprise Edition] c:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: SIGMA Photo Pro AutoLaunch.lnk = C:\Program Files\SIGMA\Photo Pro\SIGMA_AutoLaunch.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/229?c5678b9dd7ac4a62a394641b1dc39b2
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/230?c5678b9dd7ac4a62a394641b1dc39b2
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111514571686
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_02) - http://conflux/plugi..._1_3_silent.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rad.msu.edu
O17 - HKLM\Software\..\Telephony: DomainName = rad.msu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rad.msu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rad.msu.edu
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DpHost - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Hummingbird Exceed Display Management (HumDisplayServer) - Hummingbird Ltd. - C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
O23 - Service: Webroot SpySweeper Service (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe

    Advertisements

Register to Remove


#2 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 04 July 2005 - 07:17 AM

Hello jwalkin, Welcome to TomCoyote forum and sorry for the delay. If you have not received help elsewhere, I will see what I can do. Some information about your problem first:

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe << Looks simple enough, here is what it is: http://www.sophos.co...32spybotcy.html Please take the time to read about this worm so you will know what has occured on your computer. Read under all three tabs. I see it interferes with Stinger, but I would like to see if a fresh download will kill it. Notice it is also running from a Temp folder. Here is what I would like you to do.

1) Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions on the download page and please do not run it until I ask you to.

2) Download Stinger from here: http://vil.nai.com/vil/stinger/ read and follow the instructions to scan your drive/s then allow Stinger to remove anything it locates. Remember that this is a specialized tool, it is looking for specific items. Please let me know if it located and removed anything and what the item/items were.

3) Ewido trojan scanner: http://www.ewido.net/en/download/
Please download, install, update and scan your system with the free version of Ewido trojan scanner:[list=1]
[*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
[*]When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
[*]From the main ewido screen, click on update in the left menu, then click the Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
[*]If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
[*]When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread.

4) Run CCleaner, do not use the registry cleaner unless you back it up as suggested, then manually check all TEMP and Temp Internet folders to make sure they are empty. This information will help:
http://www.safecompu...irectories.html
http://www.personal-...ngtempfiles.htm

5) Locate C:\Windows\Prefetch folder and open it. Delete the contents of the folder (NOT THE FOLDER) if there are many choose Edit then Select all then Delete. You may not be able to remove them all, don't be concerned unless any have the name of the items we need to remove. Here is some information about the Prefetch for you:
http://techrepublic....70-5165773.html
http://www.pcmag.com...,1683520,00.asp

6) Stay in this same thread and post a new HJT log along with the log from the Ewido scan and information from the Stinger. Please add any comments you think I should have.

Thanks...pskelley
TomCoyote forum
Slyware Warrior

Edited by pskelley, 04 July 2005 - 07:20 AM.

MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#3 jwalkin

jwalkin

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 06 July 2005 - 12:32 PM

Hi,
First of all... I got rid of the annoying wallpaper but now my wallpaper is grey and I cannot change it. When I right click on the desktop in properties I can't change my wallpaper and when I change the theme it just changes the color of the desktop but will still not allow me to put wallpaper on it. I use UltraMon because I have dual displays, I uninstalled/installed that and didn't help. The way I got rid of the wallpaper was that at some point in time my desktop turned into the "Restore Active Desktop" screen and I just disabled the active desktop.

- I ran stinger and it didn't find anything
- Ewido trojan scanner found a few things and fixed them log is attached
- I ran CCleaner as instructed
- Deleted contents of the Prefetch folder

Is there anything else you see or have any other ideas? Thanks!

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:32:46 AM, 7/6/2005
+ Report-Checksum: E056650F

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKU\S-1-5-21-42933632-790508295-646806464-7934\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-42933632-790508295-646806464-7934\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FAA356E4-D317-42A6-AB41-A3021C6E7D52} -> Spyware.ISTBar : Cleaned with backup
:mozilla.12:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.13:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.14:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.16:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.17:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.19:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.20:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.21:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.22:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.23:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.24:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.63:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.64:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.65:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.66:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.67:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.68:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.69:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.74:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.75:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.95:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.104:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.105:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.106:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.107:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.115:C:\Documents and Settings\jmazur\Application Data\Mozilla\Firefox\Profiles\3tx6v5ya.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\mkf\Cookies\mkf@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Symantec\pcAnywhere\Awras32.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\winstall.exe -> Not-A-Virus.Hoax.Renos.a : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 2:30:14 PM, on 7/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\SIGMA\Photo Pro\SIGMA_AutoLaunch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\data\apps\virus\hijack\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [DpAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Webroot Spy Sweeper, Enterprise Edition] c:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: SIGMA Photo Pro AutoLaunch.lnk = C:\Program Files\SIGMA\Photo Pro\SIGMA_AutoLaunch.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111514571686
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_02) - http://conflux/plugi..._1_3_silent.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rad.msu.edu
O17 - HKLM\Software\..\Telephony: DomainName = rad.msu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rad.msu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rad.msu.edu
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DpHost - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Hummingbird Exceed Display Management (HumDisplayServer) - Hummingbird Ltd. - C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\CommAgent\CommAgent.exe
O23 - Service: Webroot SpySweeper Service (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe

#4 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 06 July 2005 - 02:39 PM

First of all... I got rid of the annoying wallpaper but now my wallpaper is grey and I cannot change it. When I right click on the desktop in properties I can't change my wallpaper and when I change the theme it just changes the color of the desktop but will still not allow me to put wallpaper on it.

I see nothing in your log that indicates any problem. There is one item: O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present which has to do with a restriction that is set about the control panel. If you or the administrator did not set the restriction it can be removed. If you are trying to make changes in the control panel and the restriction is in place it may block those changes. You could remove that restriction and see if that was the problem.

I am trying a few things , different things that may help:

1) Take a look in Add Remove programs and remove any program that you did not put there. Look for something called SpySheriff, uninstall it or any program you know does not belong there.

2) Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Website -> Uncheck "Security Info" if present.

3) I am also wondering about this item:
C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe here is some information:
http://www.hummingbi...3003.html?cks=y I have not seen this item before and do not know if it could be causing a problem.
but I do see this: multiple display environment.

4) One other thing you can try is to see if the infections corrupted any files that might need to be restored.
To do this simply go to the Run box on the Start Menu and type in:

sfc /scannow

This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem.

Let me know if any of these suggestions helps, I am interested in how the computer is running now in general, since your log appears clean here is some great information for you.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.net-in...?showtopic=3051
http://russelltexas....re/allclear.htm
http://forum.malware...wtopic.php?t=14
http://www.bleepingc...topict2520.html

Thanks...Phil
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#5 jwalkin

jwalkin

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 06 July 2005 - 03:58 PM

Thanks for the fast reply. I will try some things tomorrow as I am heading out tonight and let you know how it went. Later, Jake

#6 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 10 July 2005 - 08:42 AM

closing this topic in 24 hours...pskelley
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#7 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 12 July 2005 - 05:31 AM

If you need this topic reopened, please request this by sending an email to us at the following link
(Click for address)
Include your post user name and detail why you need it reopened with a valid link to your post.
Any bad links or emails that are not from the original poster will be deleted without response.
Any emails without the subject "Reopen" will be deleted without being looked at.

If this is not your thread please start a New Topic.

MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users