Help - Search - Members - Calendar
Full Version: Need Help please
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
risquezebra
Aug 28 2005, 11:14 PM
Everytime I try and use adaware I get this strange msg that says the computer is going to shutdown in 60 seconds...then it says it is become done by windows\system32\services.exe or something like that...

I've ran a few other removal programs and gotten some stuff, but adaware - before it crashes finds about 27 but I can't do anything or even see what they are. I thought I had a worm (it sounded similar) so I downloaded the FixBlast from my anti-virus site but it found nothing. (even in safe mode everything finds nothing)

I also notice that when I get that shutdown msg I get a program named "Pokapoka16.exe" but I can't find it anywhere on my computer and I read where it might be on the web..but i can't get see it anywhere.

Also, after I type (here, wordperfect, etc) for about a paragraph or two suddenly it stops typing and I have to re-click the text box to begin where I left off suddenly...not sure if that means anything...but I thought I would let you know.

Here is my hijack this log.


Thank you :)


Logfile of HijackThis v1.99.1
Scan saved at 7:03:15 PM, on 8/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Spyware Nuker 2004\swn2.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\etb\pokapoka61.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\jre\bin\java.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Documents and Settings\jenni\Desktop\Unused Desktop Shortcuts\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Installer] C:\WINDOWS\system32\ntdll.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 6 PLE Documentation Server (mple6docserver) - Unknown owner - C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\Wrapper.conf (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Bobbi Flekman
Aug 29 2005, 11:28 AM
Hi risquezebra

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Next, please reboot your computer in SafeMode by doing the following:
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3. Instead of Windows loading as normal, a menu should appear
  4. Select the first option, to run Windows in Safe Mode.

Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Save the scan log and post it along with a new HijackThis Log.
risquezebra
Aug 30 2005, 11:39 AM
Halway through my power died so I lost half the log, sorry :) but here is what I got when I did it again...and my hijack below that.

Thanks :)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:31:50 AM, 8/30/2005
+ Report-Checksum: 687DBCE3

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
:mozilla.24:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.26:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.27:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.28:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.29:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.30:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.37:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.38:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.39:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.59:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.60:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.114:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.115:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.116:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.117:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.118:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.119:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.193:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Adbrite : Cleaned with backup
:mozilla.207:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Masterstats : Cleaned with backup
:mozilla.287:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.288:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.357:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.358:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.366:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.367:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.402:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Findwhat : Cleaned with backup
:mozilla.452:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.530:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.604:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Weborama : Cleaned with backup
:mozilla.664:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.665:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.666:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.667:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.668:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.669:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.670:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.-- The nicest hobby on Earth ;) --counter : Cleaned with backup
:mozilla.671:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.-- The nicest hobby on Earth ;) --counter : Cleaned with backup
:mozilla.672:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.-- The nicest hobby on Earth ;) --counter : Cleaned with backup
:mozilla.673:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.-- The nicest hobby on Earth ;) --counter : Cleaned with backup
:mozilla.674:C:\Documents and Settings\jenni\Application Data\Mozilla\Firefox\Profiles\axu0mfkd.default\cookies.txt -> Spyware.Cookie.Cqcounter : Cleaned with backup
C:\Documents and Settings\jenni\Cookies\jenni@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\jenni\Cookies\jenni@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\jenni\Desktop\Unused Desktop Shortcuts\ColorMix.zip/ColorMix.exe -> TrojanDropper.Small.tx : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup


::Report End


_______________________

Logfile of HijackThis v1.99.1
Scan saved at 7:38:53 AM, on 8/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\jre\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\jenni\Desktop\Unused Desktop Shortcuts\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 6 PLE Documentation Server (mple6docserver) - Unknown owner - C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\Wrapper.conf (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


......adaware seems to be running again, so thats good!
Bobbi Flekman
Aug 31 2005, 11:01 AM
Hi Jenni,

This looks good.

Please move HijackThis to another location, preferably c:\Program Files\HijackThis. Anywhere is fine, other than your Desktop or a Temp folder. If HijackThis is in a temporary folder you run the risk of accidentally deleting the backups or it clutters your desktop with all the backups.
If you use Windows XP it might be that you just double clicked on the file HijackThis.exe, but that only extracts the file to a temporary folder. Please select the file and Extract it to a folder.

How do you make a permanent folder:

Click "My Computer", then "C:\" and then on "Program Files".
In the menu bar, "File"->"New"->"Folder".
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have "C:\Program Files\HijackThis". Put your HijackThis.exe there.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

R3 - Default URLSearchHook is missing

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked". Restart your computer and post a new log in this thread.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.