 |  |  |  |  |  |  |  |
ABI/VX/possible others?
Thread Solved |
trying to fix someone's computer for them.
Logfile of HijackThis v1.99.1
Scan saved at 10:15:49 PM, on 08/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\jparpq.exe
c:\windows\system32\ssxzrmh.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
E:\Fix Computers\New Stuff\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Visual Element FX5] C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
O4 - HKLM\..\Run: [tplier] C:\WINDOWS\System32\tplier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jparpq.exe reg_run
O4 - HKLM\..\Run: [wuntkqh] c:\windows\system32\ssxzrmh.exe r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O17 - HKLM\System\CS1\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Logfile of HijackThis v1.99.1
Scan saved at 10:15:49 PM, on 08/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\jparpq.exe
c:\windows\system32\ssxzrmh.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
E:\Fix Computers\New Stuff\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Visual Element FX5] C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
O4 - HKLM\..\Run: [tplier] C:\WINDOWS\System32\tplier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jparpq.exe reg_run
O4 - HKLM\..\Run: [wuntkqh] c:\windows\system32\ssxzrmh.exe r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O17 - HKLM\System\CS1\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Hi Wild Bill, welcome to DaniWeb 
Please follow the recommendations and instructions in the links below. When you get to the end of the third one (Infection removal), go to post #5 and follow the instructions there carefully.
When you've finished, please post a new HijackThis log along with the Ewido log.
Please follow the recommendations and instructions in the links below. When you get to the end of the third one (Infection removal), go to post #5 and follow the instructions there carefully.
When you've finished, please post a new HijackThis log along with the Ewido log.
Links to help you help yourself :
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
hopefully that worked....not sure though
+ Created on: 9:50:37 PM, 08/04/2005
+ Report-Checksum: 46A5C5C9
+ Scan result:
HKU\S-1-5-21-1183646164-3809480734-195663008-1007\Software\Microsoft\Internet Explorer\Explorer Bars\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E} -> Spyware.CometCursor : Cleaned with backup
[804] c:\windows\system32\hicbpgf.exe -> Adware.BetterInternet : Cleaned with backup
:mozilla.10:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.11:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.20:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.21:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.22:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.23:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.29:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.30:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.31:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.32:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.37:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.46:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.47:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.48:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.49:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica a.eisenhart@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica a.eisenhart@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica a.eisenhart@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica a.eisenhart@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica a.eisenhart@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica a.eisenhart@linksynergy[2].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica a.eisenhart@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica a.eisenhart@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica a.eisenhart@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica a.eisenhart@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\6544684F-F245-44BE-9254-A5AB10.asq -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9C5102E4-D4B0-40EE-8C82-410C1F\3FCD6251-A225-43F9-8A30-8B13D0 -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9C5102E4-D4B0-40EE-8C82-410C1F\7EC0BBD8-292F-41AD-805F-FDC4BF -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\F435C0EB-39C7-4881-A5E1-47F4B7\5A378AB0-1E69-400F-9096-8853C4 -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\lnsjrg.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\SYSTEM32\hicbpgf.exe -> Adware.BetterInternet : Cleaned with backup
Logfile of HijackThis v1.99.1
Scan saved at 10:18:34 PM, on 08/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Fix Computers\New Stuff\HijackThis.exe
C:\WINDOWS\System32\dwwin.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maxifiles.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Visual Element FX5] C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
O4 - HKLM\..\Run: [tplier] C:\WINDOWS\System32\tplier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O17 - HKLM\System\CS1\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
+ Created on: 9:50:37 PM, 08/04/2005
+ Report-Checksum: 46A5C5C9
+ Scan result:
HKU\S-1-5-21-1183646164-3809480734-195663008-1007\Software\Microsoft\Internet Explorer\Explorer Bars\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E} -> Spyware.CometCursor : Cleaned with backup
[804] c:\windows\system32\hicbpgf.exe -> Adware.BetterInternet : Cleaned with backup
:mozilla.10:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.11:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.20:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.21:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.22:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.23:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.29:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.30:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.31:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.32:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.37:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.46:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.47:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.48:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.49:C:\Documents and Settings\jessica a.eisenhart\Application Data\Mozilla\Firefox\Profiles\zpeh00zq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica a.eisenhart@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica a.eisenhart@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica a.eisenhart@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica a.eisenhart@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica a.eisenhart@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica a.eisenhart@linksynergy[2].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica a.eisenhart@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica a.eisenhart@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica a.eisenhart@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\jessica a.eisenhart\Cookies\jessica a.eisenhart@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\6544684F-F245-44BE-9254-A5AB10.asq -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9C5102E4-D4B0-40EE-8C82-410C1F\3FCD6251-A225-43F9-8A30-8B13D0 -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\9C5102E4-D4B0-40EE-8C82-410C1F\7EC0BBD8-292F-41AD-805F-FDC4BF -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\F435C0EB-39C7-4881-A5E1-47F4B7\5A378AB0-1E69-400F-9096-8853C4 -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\lnsjrg.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\SYSTEM32\hicbpgf.exe -> Adware.BetterInternet : Cleaned with backup
Logfile of HijackThis v1.99.1
Scan saved at 10:18:34 PM, on 08/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Fix Computers\New Stuff\HijackThis.exe
C:\WINDOWS\System32\dwwin.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maxifiles.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Visual Element FX5] C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
O4 - HKLM\..\Run: [tplier] C:\WINDOWS\System32\tplier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O17 - HKLM\System\CS1\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
Remove Newdotnet either from Add/Remove Programs, or by following the instructions here:
http://www.newdotnet.com/removal.html
Also in Add/Remove Programs, remove Viewpoint (or Viewpoint Manager, ViewMgr, or something similar).
Scan with HijackThis and have it fix:
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
Close any open windows, other then HijackThis, and hit Fix checked.
Go to the following locations and delete the highlighted folders:
C:\Program Files\Viewpoint
C:\program files\newdotnet
Do a search for these files and delete any instances found:
commandd.exe
conversions.ini
d2gfz.dll
diablo ii.exe
dinst.exe
grab.exe
If any of these files are found, but cannot be deleted, reboot into Safe Mode and try it from there.
Download and run CCleaner – http://www.filehippo.com/download/li.../download.html
Reboot, close any open browser windows, scan with HijackThis, and post a new log please.
http://www.newdotnet.com/removal.html
Also in Add/Remove Programs, remove Viewpoint (or Viewpoint Manager, ViewMgr, or something similar).
Scan with HijackThis and have it fix:
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
Close any open windows, other then HijackThis, and hit Fix checked.
Go to the following locations and delete the highlighted folders:
C:\Program Files\Viewpoint
C:\program files\newdotnet
Do a search for these files and delete any instances found:
commandd.exe
conversions.ini
d2gfz.dll
diablo ii.exe
dinst.exe
grab.exe
If any of these files are found, but cannot be deleted, reboot into Safe Mode and try it from there.
Download and run CCleaner – http://www.filehippo.com/download/li.../download.html
Reboot, close any open browser windows, scan with HijackThis, and post a new log please.
I believe that got rid of the viewpoint thing, but there was no program file of newdotnet to remove. When trying to remove the 010 lsp provider line in hijackthis it said it isn't able to do it and gave a weblink which gave a 404 error, but it also recommended using spybot s&d to get rid of it if it was newdotnet. I downloaded that and did a scan. Restarted it, but it appears to still be there. Here's the new hjt log. Thanks for all of your help so far!
Logfile of HijackThis v1.99.1
Scan saved at 5:43:59 PM, on 08/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
E:\Fix Computers\New Stuff\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maxifiles.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Visual Element FX5] C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
O4 - HKLM\..\Run: [tplier] C:\WINDOWS\System32\tplier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O17 - HKLM\System\CS1\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
Logfile of HijackThis v1.99.1
Scan saved at 5:43:59 PM, on 08/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
E:\Fix Computers\New Stuff\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maxifiles.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Visual Element FX5] C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
O4 - HKLM\..\Run: [tplier] C:\WINDOWS\System32\tplier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O17 - HKLM\System\CS1\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
Please follow the instructions here to remove newdotnet -- http://www.newdotnet.com/removal.html
Delete the entire contents of the C:\Windows\Temp folder.
Delete the entire contents of the C:\Temp folder.
Do a search for *.tmp and delete all entries found.
For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):
Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5
Scan with HJT and have it fix:
O4 - HKLM\..\Run: [Visual Element FX5] C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
O4 - HKLM\..\Run: [tplier] C:\WINDOWS\System32\tplier.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
If the IP addresses below are not related to her ISP, have HJT fix both of these O17 entries --
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O17 - HKLM\System\CS1\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
Close any open windows and hit Fix checked.
Reboot, close any open browser windows, scan with HJT and post a new log please.
Delete the entire contents of the C:\Windows\Temp folder.
Delete the entire contents of the C:\Temp folder.
Do a search for *.tmp and delete all entries found.
For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):
Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5
Scan with HJT and have it fix:
O4 - HKLM\..\Run: [Visual Element FX5] C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
O4 - HKLM\..\Run: [tplier] C:\WINDOWS\System32\tplier.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
If the IP addresses below are not related to her ISP, have HJT fix both of these O17 entries --
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O17 - HKLM\System\CS1\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
Close any open windows and hit Fix checked.
Reboot, close any open browser windows, scan with HJT and post a new log please.
Ok, here's the new log..
Logfile of HijackThis v1.99.1
Scan saved at 1:10:16 PM, on 08/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Fix Computers\New Stuff\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maxifiles.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
Logfile of HijackThis v1.99.1
Scan saved at 1:10:16 PM, on 08/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Fix Computers\New Stuff\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maxifiles.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
I just see one more thing to fix there; I wasn't sure before so I had to do a bit of research.
Scan with HJT and have it fix
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
Remember to close all windows before hitting Fix checked.
Go to C:\PROGRAM FILES and delete the Acceleration Software folder.
Empty the Recycle Bin and reboot.
According to the Ewido Log, it looks like she has, or had, the Qoologic trojan.
Please get Find_qoologic.zip (by baskar1234) from:
http://home.earthlink.net/~firestrik...ndqoologic.zip
After you download it, unzip it; go to the new qoologic folder and double-click on qoologic.bat to run it. It will take a few minutes to scan the drive, so be patient. When it has finished, open My Computer, double-click on the C: drive, and copy & paste the contents of the below logs into this thread.
C:\log.txt
C:\win.txt
C:\start.txt
Scan with HJT and have it fix
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
Remember to close all windows before hitting Fix checked.
Go to C:\PROGRAM FILES and delete the Acceleration Software folder.
Empty the Recycle Bin and reboot.
According to the Ewido Log, it looks like she has, or had, the Qoologic trojan.
Please get Find_qoologic.zip (by baskar1234) from:
http://home.earthlink.net/~firestrik...ndqoologic.zip
After you download it, unzip it; go to the new qoologic folder and double-click on qoologic.bat to run it. It will take a few minutes to scan the drive, so be patient. When it has finished, open My Computer, double-click on the C: drive, and copy & paste the contents of the below logs into this thread.
C:\log.txt
C:\win.txt
C:\start.txt
I fixed the 04 entry with HJT, but I could not find any acceleration software on the computer. AFter I downloaded the program the only log with any information in it was the c:/log.txt . The other two logs were just completely empty (0 k in each). Here's the log:
C:\Documents and Settings\jessica a.eisenhart\Local Settings\Temp\findqoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
Files Found in all users startup Folder............
------------------------
That was it. Thanks again for your continued help.
C:\Documents and Settings\jessica a.eisenhart\Local Settings\Temp\findqoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
Files Found in all users startup Folder............
------------------------
That was it. Thanks again for your continued help.
Follow the 'Cleanup' procedures in the second link below (including CCleaner) and that should do it. Are you still having any problems?
Links to help you help yourself :
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
 |
Similar Threads
- Ewido Log+Hijackthis Log (abi virus) (Viruses, Spyware and other Nasties)
- ABI Network trouble (Viruses, Spyware and other Nasties)
- ABI Network Trojan Horse (Viruses, Spyware and other Nasties)
- ABI Network Trojan Horse (Viruses, Spyware and other Nasties)
- Help: Nail, Links & ABI (Viruses, Spyware and other Nasties)
- Aurora/ABI problems (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: trojan.evker What is this
- Next Thread: More Cool Web Search/Shopping Wizard/about:blank problems
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for Viruses, Spyware and other Nasties
acrobat adobe adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china combofix commercial conficker connect control cybercrime cyberwarfare ddos education email europe exam exploit facebook fake fancheckvirus gaming gtaiv halloween herss.exe hijack hosting internet iphone logfiles malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch pdf phishing police policeprovirusmba-mblockedinternetaccess president privacy pro redirect redirecting report research rogueantivirus rootkit samhain sans scareware search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans symantec system teen threat translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista vulnerability war warning windows worm yahoo zero-day zeroday
