vectorform
asked on
Spyware Removal - help
I am having trouble removing some spyware from my system...I have HiJack This log below. Please help for 500 points
Logfile of HijackThis v1.99.1
Scan saved at 8:19:28 PM, on 6/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\csrss. exe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\System32\ibmpms vc.exe
C:\WINDOWS\System32\Ati2ev xx.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~2\SYMAN T~1\DefWat ch.exe
C:\WINDOWS\System32\inetsr v\inetinfo .exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~2\SYMAN T~1\Rtvsca n.exe
C:\WINDOWS\system32\nutsrv 4.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe
C:\WINDOWS\System32\wdfmgr .exe
c:\program files\verizon wireless\venturi\Client\ve ntc.exe
C:\WINDOWS\System32\alg.ex e
C:\WINDOWS\system32\Ati2ev xx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\iPod\bin\iPodService .exe
C:\WINDOWS\system32\notepa d.exe
C:\WINDOWS\system32\SNDVOL 32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = proxy_serv01:80
R3 - URLSearchHook: (no name) - {FE00D4B8-31AA-E691-48EE-9 2E5A3CC805 E} - srbho.dll (file missing)
R3 - URLSearchHook: (no name) - {FE32CCB4-6E48-7767-7DFF-A FCE8EDBACC B} - ms-its.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O2 - BHO: (no name) - {D44CCDBD-C9C1-44C7-9A6B-7 4B250FD070 F} - C:\WINDOWS\system32\winnut s.dll (file missing)
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec- b109a192b4 c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dump rep 0 -k
O4 - HKLM\..\Run: [dmffy.exe] C:\WINDOWS\system32\dmffy. exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_06\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_06\bin \ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: AIM (R) - {AC9E2541-2814-11d5-BC6D-0 0B0D0A1DE4 5} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C 7C580BBF70 0} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-4 45B226FE9A 1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D 305C1750EF 3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119667334994
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1119667532658
O16 - DPF: {74FFE28D-2378-11D5-990C-0 0609423508 4} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/aslibmain/aslib/content/IbmEgath.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-5 95F0A5519F F} (MsnMessengerSetupDownload Control Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2 2031317559 2} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-7 3DB16A1543 A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F0E42D60-368C-11D0-AD81-0 0A0C90DC8D 9} (Snapshot Viewer Control 10.0) - http://activex.microsoft.com/activex/controls/access/Snapview.ocx
O17 - HKLM\System\CCS\Services\T cpip\..\{1 4521DDC-D1 36-4535-96 FE-1B4C908 D4F1C}: NameServer = 85.255.116.44,85.255.112.1 55
O17 - HKLM\System\CCS\Services\T cpip\..\{3 2F04B0C-41 8D-4D38-A3 4E-C08C80B 4A093}: NameServer = 85.255.116.44,85.255.112.1 55
O17 - HKLM\System\CCS\Services\T cpip\..\{4 585A8D3-63 C4-491E-BD F5-B56C7FE EA7B8}: NameServer = 85.255.116.44,85.255.112.1 55
O17 - HKLM\System\CCS\Services\T cpip\..\{4 9A24E78-6D 9E-4BCD-BC 8A-8A4A29E 372CB}: NameServer = 85.255.116.44,85.255.112.1 55
O17 - HKLM\System\CS1\Services\T cpip\..\{1 4521DDC-D1 36-4535-96 FE-1B4C908 D4F1C}: NameServer = 85.255.116.44,85.255.112.1 55
O17 - HKLM\System\CS2\Services\T cpip\..\{1 4521DDC-D1 36-4535-96 FE-1B4C908 D4F1C}: NameServer = 85.255.116.44,85.255.112.1 55
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8 E305202313 F} - "C:\PROGRA~1\MSNMES~1\msgr app.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8 E305202313 F} - "C:\PROGRA~1\MSNMES~1\msgr app.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLog on.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc. exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2ev xx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMAN T~1\DefWat ch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpms vc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMAN T~1\Rtvsca n.exe
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv 4.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\ DRIVERS\W3 2X86\3\HPZ ipm12.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - Unknown owner - C:\WINDOWS\System32\Rampar tSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpc apd.exe" -d -f "%ProgramFiles%\WinPcap\rp capd.ini (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ve ntc.exe
Logfile of HijackThis v1.99.1
Scan saved at 8:19:28 PM, on 6/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\csrss.
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\System32\ibmpms
C:\WINDOWS\System32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~2\SYMAN
C:\WINDOWS\System32\inetsr
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~2\SYMAN
C:\WINDOWS\system32\nutsrv
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe
C:\WINDOWS\System32\wdfmgr
c:\program files\verizon wireless\venturi\Client\ve
C:\WINDOWS\System32\alg.ex
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon
C:\WINDOWS\System32\svchos
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\iPod\bin\iPodService
C:\WINDOWS\system32\notepa
C:\WINDOWS\system32\SNDVOL
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Wi
R3 - URLSearchHook: (no name) - {FE00D4B8-31AA-E691-48EE-9
R3 - URLSearchHook: (no name) - {FE32CCB4-6E48-7767-7DFF-A
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {D44CCDBD-C9C1-44C7-9A6B-7
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dump
O4 - HKLM\..\Run: [dmffy.exe] C:\WINDOWS\system32\dmffy.
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: AIM (R) - {AC9E2541-2814-11d5-BC6D-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {193C772A-87BE-4B19-A7BB-4
O16 - DPF: {4C39376E-FA9D-4349-BACC-D
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {74FFE28D-2378-11D5-990C-0
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-5
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-7
O16 - DPF: {F0E42D60-368C-11D0-AD81-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLog
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2ev
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMAN
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpms
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMAN
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\
O23 - Service: SonicWall VPN Client Service (RampartSvc) - Unknown owner - C:\WINDOWS\System32\Rampar
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpc
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ve
I posted you HJT log at http://www.hijackthis.de/ and the analyzed log is at:
http://www.hijackthis.de/logfiles/8162635dce2815d631f5927c54cb2e56.html
I would suggest removing the following entry with HJT:
O4 - HKLM\..\Run: [dmffy.exe] C:\WINDOWS\system32\dmffy. exe
then reboot and see if the problem is fixed.
If not then run HJT again and post a log at http://www.hijackthis.de/ (not here), click "analyze" then "Save analysis" and post a link here.
http://www.hijackthis.de/logfiles/8162635dce2815d631f5927c54cb2e56.html
I would suggest removing the following entry with HJT:
O4 - HKLM\..\Run: [dmffy.exe] C:\WINDOWS\system32\dmffy.
then reboot and see if the problem is fixed.
If not then run HJT again and post a log at http://www.hijackthis.de/ (not here), click "analyze" then "Save analysis" and post a link here.
Hi,
You have a wareout infection there!
Uninstall UnSpyPC from Add/Remove Programs is it's listed.
You must have an active Internet connection when running this fix, in order to download the Brute Force Uninstaller (BFU) from Merijn's page.
If you have problems with your connection:
Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt)
Fix these entries if still present after running the tool:
R3 - URLSearchHook: (no name) - {FE00D4B8-31AA-E691-48EE-9 2E5A3CC805 E} - srbho.dll (file missing)
R3 - URLSearchHook: (no name) - {FE32CCB4-6E48-7767-7DFF-A FCE8EDBACC B} - ms-its.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {D44CCDBD-C9C1-44C7-9A6B-7 4B250FD070 F} - C:\WINDOWS\system32\winnut s.dll (file missing)
O4 - HKLM\..\Run: [dmffy.exe] C:\WINDOWS\system32\dmffy. exe
O17 - HKLM\System\CCS\Services\T cpip\..\{1 4521DDC-D1 36-4535-96 FE-1B4C908 D4F1C}: NameServer = 85.255.116.44,85.255.112.1 55
O17 - HKLM\System\CCS\Services\T cpip\..\{3 2F04B0C-41 8D-4D38-A3 4E-C08C80B 4A093}: NameServer = 85.255.116.44,85.255.112.1 55
O17 - HKLM\System\CCS\Services\T cpip\..\{4 585A8D3-63 C4-491E-BD F5-B56C7FE EA7B8}: NameServer = 85.255.116.44,85.255.112.1 55
O17 - HKLM\System\CCS\Services\T cpip\..\{4 9A24E78-6D 9E-4BCD-BC 8A-8A4A29E 372CB}: NameServer = 85.255.116.44,85.255.112.1 55
O17 - HKLM\System\CS1\Services\T cpip\..\{1 4521DDC-D1 36-4535-96 FE-1B4C908 D4F1C}: NameServer = 85.255.116.44,85.255.112.1 55
O17 - HKLM\System\CS2\Services\T cpip\..\{1 4521DDC-D1 36-4535-96 FE-1B4C908 D4F1C}: NameServer = 85.255.116.44,85.255.112.1 55
You have a wareout infection there!
Uninstall UnSpyPC from Add/Remove Programs is it's listed.
You must have an active Internet connection when running this fix, in order to download the Brute Force Uninstaller (BFU) from Merijn's page.
If you have problems with your connection:
Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt)
Fix these entries if still present after running the tool:
R3 - URLSearchHook: (no name) - {FE00D4B8-31AA-E691-48EE-9
R3 - URLSearchHook: (no name) - {FE32CCB4-6E48-7767-7DFF-A
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {D44CCDBD-C9C1-44C7-9A6B-7
O4 - HKLM\..\Run: [dmffy.exe] C:\WINDOWS\system32\dmffy.
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
I think You better to download Antispyware Scanner from the Microsoft download center and scna your computer
ASKER
Hi rpggamergirl,
I think you helped me with spyware on another computer I had a while back...thanks for responding again. I followed your steps, but I still have something. The symptoms are redirects in IE, and I have a missing Task Manager button when I hit ctrl + alt + del. Here is my new log:
Logfile of HijackThis v1.99.1
Scan saved at 11:29:28 AM, on 6/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\csrss. exe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\System32\ibmpms vc.exe
C:\WINDOWS\System32\Ati2ev xx.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~2\SYMAN T~1\DefWat ch.exe
C:\WINDOWS\System32\inetsr v\inetinfo .exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~2\SYMAN T~1\Rtvsca n.exe
C:\WINDOWS\system32\nutsrv 4.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe
C:\WINDOWS\System32\wdfmgr .exe
c:\program files\verizon wireless\venturi\Client\ve ntc.exe
C:\WINDOWS\System32\alg.ex e
C:\WINDOWS\system32\Ati2ev xx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = proxy_serv01:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec- b109a192b4 c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dump rep 0 -k
O4 - HKLM\..\Run: [dmtxd.exe] C:\WINDOWS\system32\dmtxd. exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_06\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_06\bin \ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: AIM (R) - {AC9E2541-2814-11d5-BC6D-0 0B0D0A1DE4 5} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C 7C580BBF70 0} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-4 45B226FE9A 1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D 305C1750EF 3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119667334994
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1119667532658
O16 - DPF: {74FFE28D-2378-11D5-990C-0 0609423508 4} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/aslibmain/aslib/content/IbmEgath.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-5 95F0A5519F F} (MsnMessengerSetupDownload Control Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2 2031317559 2} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-7 3DB16A1543 A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F0E42D60-368C-11D0-AD81-0 0A0C90DC8D 9} (Snapshot Viewer Control 10.0) - http://activex.microsoft.com/activex/controls/access/Snapview.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8 E305202313 F} - "C:\PROGRA~1\MSNMES~1\msgr app.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8 E305202313 F} - "C:\PROGRA~1\MSNMES~1\msgr app.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLog on.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc. exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2ev xx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMAN T~1\DefWat ch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpms vc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMAN T~1\Rtvsca n.exe
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv 4.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\ DRIVERS\W3 2X86\3\HPZ ipm12.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - Unknown owner - C:\WINDOWS\System32\Rampar tSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpc apd.exe" -d -f "%ProgramFiles%\WinPcap\rp capd.ini (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ve ntc.exe
I think you helped me with spyware on another computer I had a while back...thanks for responding again. I followed your steps, but I still have something. The symptoms are redirects in IE, and I have a missing Task Manager button when I hit ctrl + alt + del. Here is my new log:
Logfile of HijackThis v1.99.1
Scan saved at 11:29:28 AM, on 6/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\csrss.
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\System32\ibmpms
C:\WINDOWS\System32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~2\SYMAN
C:\WINDOWS\System32\inetsr
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~2\SYMAN
C:\WINDOWS\system32\nutsrv
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe
C:\WINDOWS\System32\wdfmgr
c:\program files\verizon wireless\venturi\Client\ve
C:\WINDOWS\System32\alg.ex
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dump
O4 - HKLM\..\Run: [dmtxd.exe] C:\WINDOWS\system32\dmtxd.
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: AIM (R) - {AC9E2541-2814-11d5-BC6D-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {193C772A-87BE-4B19-A7BB-4
O16 - DPF: {4C39376E-FA9D-4349-BACC-D
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {74FFE28D-2378-11D5-990C-0
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-5
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-7
O16 - DPF: {F0E42D60-368C-11D0-AD81-0
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLog
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2ev
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMAN
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpms
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMAN
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\
O23 - Service: SonicWall VPN Client Service (RampartSvc) - Unknown owner - C:\WINDOWS\System32\Rampar
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpc
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ve
Hi vectorform,
I'm surprised that "wareoutfix.exe" didn't remove it all, there's still one in your log showing.
Could we look at the "wareout.txt" to see what the log says? this could be a new variant of wareout that the tool is not catching.
Please fix this entry:
O4 - HKLM\..\Run: [dmtxd.exe] C:\WINDOWS\system32\dmtxd. exe
Delete this file if it's still present --> C:\WINDOWS\system32\dmtxd. exe
Also let's check if Blacklight shows any wareout files:
Download and save blacklight to your desktop.
http://www.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.
You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.
About your task Manager, could it be the same as this?
http://72.14.235.104/search?q=cache:hbYhIZSG6-gJ:www.experts-exchange.com/Operating_Systems/WinXP/Q_21242359.html+task+manager+button+missing&hl=en&gl=au&ct=clnk&cd=1&lr=lang_en
Or:
try Kelly's task manager repair .reg
http://www.kellys-korner-xp.com/regs_edits/TaskManager_Reset.reg
I'm surprised that "wareoutfix.exe" didn't remove it all, there's still one in your log showing.
Could we look at the "wareout.txt" to see what the log says? this could be a new variant of wareout that the tool is not catching.
Please fix this entry:
O4 - HKLM\..\Run: [dmtxd.exe] C:\WINDOWS\system32\dmtxd.
Delete this file if it's still present --> C:\WINDOWS\system32\dmtxd.
Also let's check if Blacklight shows any wareout files:
Download and save blacklight to your desktop.
http://www.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.
You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.
About your task Manager, could it be the same as this?
http://72.14.235.104/search?q=cache:hbYhIZSG6-gJ:www.experts-exchange.com/Operating_Systems/WinXP/Q_21242359.html+task+manager+button+missing&hl=en&gl=au&ct=clnk&cd=1&lr=lang_en
Or:
try Kelly's task manager repair .reg
http://www.kellys-korner-xp.com/regs_edits/TaskManager_Reset.reg
ASKER
Remove dmtxd - done - removed entry and the actual file.
Blacklight didn't find anything.
I am going to run the wareout tool again - the log got deleted last itme so I will update this post after i re-run it.
I fixed the task manager issue - somehow it got disabled in the registry (not sure if the spyware caused this or I did something else and the timing was coincidental) but it was an easy fix.
Blacklight didn't find anything.
I am going to run the wareout tool again - the log got deleted last itme so I will update this post after i re-run it.
I fixed the task manager issue - somehow it got disabled in the registry (not sure if the spyware caused this or I did something else and the timing was coincidental) but it was an easy fix.
ASKER
I couldn't find the log file produced by the wareout fix...however I think deleting the entries you said, then running the tool again, I don't have anything...at least I do not have anymore spyware symptoms. Here is my new HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 6:55:00 PM, on 6/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\System32\ibmpms vc.exe
C:\WINDOWS\System32\Ati2ev xx.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~2\SYMAN T~1\DefWat ch.exe
C:\WINDOWS\System32\inetsr v\inetinfo .exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~2\SYMAN T~1\Rtvsca n.exe
C:\WINDOWS\system32\nutsrv 4.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe
c:\program files\verizon wireless\venturi\Client\ve ntc.exe
C:\WINDOWS\system32\cmd.ex e
C:\WINDOWS\system32\ntvdm. exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\PCHealth\HelpCt r\Binaries \MSConfig. exe
C:\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec- b109a192b4 c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dump rep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_06\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_06\bin \ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: AIM (R) - {AC9E2541-2814-11d5-BC6D-0 0B0D0A1DE4 5} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C 7C580BBF70 0} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-4 45B226FE9A 1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D 305C1750EF 3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119667334994
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1119667532658
O16 - DPF: {74FFE28D-2378-11D5-990C-0 0609423508 4} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/aslibmain/aslib/content/IbmEgath.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-5 95F0A5519F F} (MsnMessengerSetupDownload Control Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2 2031317559 2} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-7 3DB16A1543 A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F0E42D60-368C-11D0-AD81-0 0A0C90DC8D 9} (Snapshot Viewer Control 10.0) - http://activex.microsoft.com/activex/controls/access/Snapview.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8 E305202313 F} - "C:\PROGRA~1\MSNMES~1\msgr app.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8 E305202313 F} - "C:\PROGRA~1\MSNMES~1\msgr app.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLog on.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc. exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2ev xx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMAN T~1\DefWat ch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpms vc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMAN T~1\Rtvsca n.exe
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv 4.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\ DRIVERS\W3 2X86\3\HPZ ipm12.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - Unknown owner - C:\WINDOWS\System32\Rampar tSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpc apd.exe" -d -f "%ProgramFiles%\WinPcap\rp capd.ini (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ve ntc.exe
Logfile of HijackThis v1.99.1
Scan saved at 6:55:00 PM, on 6/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\System32\ibmpms
C:\WINDOWS\System32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\Explorer.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~2\SYMAN
C:\WINDOWS\System32\inetsr
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~2\SYMAN
C:\WINDOWS\system32\nutsrv
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe
c:\program files\verizon wireless\venturi\Client\ve
C:\WINDOWS\system32\cmd.ex
C:\WINDOWS\system32\ntvdm.
C:\WINDOWS\system32\ctfmon
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\PCHealth\HelpCt
C:\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dump
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: AIM (R) - {AC9E2541-2814-11d5-BC6D-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {193C772A-87BE-4B19-A7BB-4
O16 - DPF: {4C39376E-FA9D-4349-BACC-D
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {74FFE28D-2378-11D5-990C-0
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-5
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-7
O16 - DPF: {F0E42D60-368C-11D0-AD81-0
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLog
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2ev
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMAN
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpms
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMAN
O23 - Service: NuTCRACKERService - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\
O23 - Service: SonicWall VPN Client Service (RampartSvc) - Unknown owner - C:\WINDOWS\System32\Rampar
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpc
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ve
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
and
HKEY_CURRENT_USER\SOFTWARE
which contains the "start up" commands.
and see which files are not supposed to start up when windows starts! First find the files and delete them. If Xp normal mode doesn't let you delete them, go to the safe mode and delete them, next remove their entery from: HKEY_LOCAL_MACHINE\SOFTWAR
and
HKEY_CURRENT_USER\SOFTWARE
Now reboot and see if there is any trace left! Basicly I would advice you to use Spywaredoctor which has been awarded as the best spyware killer from many sites which I have bought and use. Download from:
Spywaredoctor.com
Good luck