hijacklog... lots of junk

Go
Here and Get Trojan-Hunter Fully working trial! and run a full scan
,,,,,,,,,,,,,,,,,,,,,
To remove trojans there is a tool which needs to be downloaded and run.

1. Please download Stinger and save it to your desktop

2. Double-click on the stinger.exe file and open the tool

3. Choose your entire hard drive to scan.

4. Choose Scan Now

5. Stinger will fix anything that it finds

6. Click the File menu and select Save report to file

7. Post the log file results here in this thread.

STINGER

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Reboot to SAFE mode to delete files
How to start computer in safe mode

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

Do a virus scan Please do an online scan, 2 would be better,

Micro World http://www.mwti.net/antivirus/free_utilities.asp
Trend Micro http://housecall.trendmicro.com/housecall/start_corp.asp

Make sure that you choose "fix" or "clean".

.
,,,,,,,,,,,,,,,,,,,,,,,,,,
Download then unzip and run CWShredder to clean up clicking "FIX" to have it remove all it finds.

CWShredder available from these places :-

http://www.aluriasoftware.com/tools/cwshredder.zip
Or this as a full download without any unzipping required
http://www.downloads.subratam.org/CWShredder.exe
http://www.spywareinfo.com/downloads/tools/CWShredder.exe

We have found that some of the CWS infections can be removed better from safe mode, rather than normal mode.
To get to safe mode use the F8 key while booting the machine. Detailed instructions from :-
HERE
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Then please do this since it’s better to use automated tools to get rid of the bad stuff use these 2 programs first before doing the final cleaning with HJT

First use Spybot S&D. (Version 1.3)
Spybot
Unzip, and update. Install the updates and run. Delete all that it marks in red.
Reboot

Then it’s time for Ad-Aware
Ad-Aware
Install and update by using the globe icon. Restart your computer and run Ad-Aware.
Press scan now and select drives and/or partitions to be scanned. When done select all and click next. Remove all checked items and then reboot your computer.

Please go to this page and read the instructions for how to configure Spybot S&D & Ad-Aware
How To Setup Spybot SD and Ad-Aware

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Then post a HJT log as a reply to this topic.

Hey Ravengal, good to see you here again. In addition to what Caperjack suggested, I'd like you to get CounterSpy from here (for your mom's computer and your own):

http://www.download.com/3000-8022_4-10337358.html

It has a 15-day free trial which will be plenty of time to get your system cleaned up, or you can purchase it for $20 (US). After you download it, install it; when asked for a registration number, just click next.

Before scanning the first time, make the following adjustments to the settings:

CounterSpy Settings

At the very top, click on File, and then Check for updates
When it’s finished updating, click the ‘Close’ button

Under ‘Spyware Scan’ on the left, click on ‘Run a spyware scan’
In the left pane, click on ‘Scan Options’
Mark ‘Full system scan’
Check all boxes under ‘Full system scan,’ including ‘Save these options’
In the right pane, near the bottom, click ‘Manage Schedule’
On the left side, select your preferred schedule options
On the right side, under ‘Scheduled Scan Options,’ check:
‘Always run a deep scan’
‘Automatically remove spyware cookies’
Click the ‘Update Schedule’ button

At the top, click on ‘System Tools’
Double-click on ‘History Cleaner’
Check the following options (if they are not grayed-out):
‘Internet Explorer History’
‘Internet Explorer Cookies’
‘Kazaa’
‘Temporary Internet Files’
Review the list for any other ‘History’ items you wish to clean
At the bottom, click ‘Remember checked’
Click on the ‘Clean History’ button
Click the ‘Yes’ button, and then the ‘OK’ button

Click ‘Back’ at the top
Double-click ‘My PC Checkup’
Click the ‘Start’ button
In the first part of the list, uncheck everything up to any ActiveX entries; the entries you uncheck can be checked later, individually, to ensure they won’t interfere with your browsing habits (for maximum protection, however, you may leave them all checked)
Leave all ActiveX entries checked
In the second part of the list ‘(Items already changed below…),’ leave all entries checked
Click the ‘Continue’ button
Click the ‘OK’ button

At the top, click ‘Spyware Scan’
On the right side, click the ‘Scan Now’ button
This will take awhile depending on the size of your drive(s), number of files, CPU, etc. (40 minutes on my computer)
When the scan is complete, use the drop-down arrow next to each entry and select ‘Remove’ (if you see any entries that you think you may wish to keep, ‘Ignore’ them for now and post them for recommendations)
Select ‘Create restore point’ if you want CounterSpy to create a Windows XP System Restore point
At the bottom, click ‘Take Action’
Click the ‘Close’ button and exit the program

hey capper and dlh ... im sorry it took me so long to get back at you... work sucks! :P its nice to see you again dlh... i figured id get some input from you hehehe ill get everything dl'ed that you suggested and get back to you :)

holy crap i found 40 (40!!!) viruses and 3 trojans on her computer from stinger... shredder didnt find anything and that other one capper told me to dl im not sure about cuz i was tired of lookin at her computer lol but from what i saw there were at least 5 more trojans so thank you capper and i will dl that other one dlh recommended some other time... I HATE DIAL UP!!! Anyways... *drum roll* :
Logfile of HijackThis v1.99.1
Scan saved at 10:47:59 PM, on 4/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snapple.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\obbpbjk.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\l6lofn8b.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\update.exe
C:\program files\internet explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\nt.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hijackthis dont delete\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.IowaTelecom.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.IowaTelecom.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [73084CBA] C:\WINDOWS\System32\ktfkfswdnkxkk.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [snapple] snapple.exe
O4 - HKLM\..\Run: [WaqcA50] C:\WINDOWS\obbpbjk.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Jcdebp.exe
O4 - HKLM\..\Run: [l6lofn8b] C:\WINDOWS\System32\l6lofn8b.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [msupdate] update.exe
O4 - HKLM\..\RunServices: [DEAA00C0] C:\WINDOWS\System32\ktfkfswdnkxkk.exe
O4 - HKLM\..\RunServices: [snapple] snapple.exe
O4 - HKLM\..\RunServices: [msupdate] update.exe
O4 - HKLM\..\RunOnce: [snapple] snapple.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OLE] C:\WINDOWS\nt.exe
O4 - HKCU\..\Run: [snapple] snapple.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=0824f4a67a93ca5634671762a46ea8457eaca3bcb42569267db9b8592bf65ac13e8818875eb4bc7d30c34be2035810989f658b63:6aab353c5451c65e8dabb9ec24c7b353
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Dqgohf32.dll
O21 - SSODL: mtkle - {B09BEE4E-5594-4067-BBA1-780AD3D0911A} - C:\WINDOWS\System32\oyqe32.dll
O21 - SSODL: mtklefa - {49AE020A-98A0-4DDC-419C-F1ACD2D7ED22} - C:\WINDOWS\System32\atyjz32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

I wasnt able to dl some of those virus scans bc of how long it took but heres this log for now... i will finish dl'ing probably tomorrow... THANKS GUYS!!

I don't have time to do a thorough review right now (like you said, work sucks :) ), but you can start with this:

Go to Add/Remove Programs in your Control Panel and remove (if found):
istsvc
SideFind

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll
O4 - HKLM\..\Run: [73084CBA] C:\WINDOWS\System32\ktfkfswdnkxkk.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [WaqcA50] C:\WINDOWS\obbpbjk.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Jcdebp.exe
O4 - HKLM\..\Run: [l6lofn8b] C:\WINDOWS\System32\l6lofn8b.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...dabb9ec24c7b353
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.co...v45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yah...utocomplete.cab
O21 - SSODL: mtkle - {B09BEE4E-5594-4067-BBA1-780AD3D0911A} - C:\WINDOWS\System32\oyqe32.dll
O21 - SSODL: mtklefa - {49AE020A-98A0-4DDC-419C-F1ACD2D7ED22} - C:\WINDOWS\System32\atyjz32.dll

Remember to close all windows, other then hijackthis, before hitting the Fix button.

Go to the following locations and delete the highlighted file or folder (if found):

C:\WINDOWS\obbpbjk.exe
C:\WINDOWS\System32\Jcdebp.exe
C:\WINDOWS\System32\l6lofn8b.exe
C:\WINDOWS\System32\ktfkfswdnkxkk.exe
C:\WINDOWS\System32\update.exe
C:\WINDOWS\System32\oyqe32.dll
C:\WINDOWS\System32\atyjz32.dll
C:\Program Files\ISTsvc
C:\Program Files\SideFind

This one doesn't look good, but no time to research it now...
C:\WINDOWS\nt.exe

Reboot, close all browser windows, scan with HJT, and post a new log please.