Jump to content

About Blank problem HJT Log


Recommended Posts

Hello - and thanks in advance for reading this. I've tried several ways to rid my computer of the About Blank hijack, can't get rid of it. Here's my HJT log, I can't seem to find the files that are most commonly listed as the culprits. I've had to switch to FireFox to use the Internet without redirects, slowdowns and the $!#*!! About Blank page taunting me. Please help!!!!!! Thanks again in advance, if you can figure this out you are a genius . . .

Logfile of HijackThis v1.99.1

Scan saved at 11:39:04 PM, on 1/24/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe

C:\WINDOWS\System32\hphmon05.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\WINDOWS\LTMSG.exe

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\WINDOWS\stisvsq.exe

C:\WINDOWS\svshost.exe

C:\WINDOWS\msqdevl.exe

C:\WINDOWS\lssas.exe

C:\WINDOWS\mservice.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\iau.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Steve\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:80

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe

O4 - HKLM\..\Run: [internet Connection Wizard] stisvsq.exe

O4 - HKLM\..\Run: [Games Acceleration] svshost.exe

O4 - HKLM\..\Run: [internet Mail and News] msqdevl.exe

O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe

O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [backupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe

O4 - HKCU\..\Run: [internet Connection Wizard] stisvsq.exe

O4 - HKCU\..\Run: [Games Acceleration] svshost.exe

O4 - HKCU\..\Run: [internet Mail and News] msqdevl.exe

O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe

O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Link to post
Share on other sites

First of all, you will need to print out this post and/or save a copy as a text file in Notepad; that way you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix

Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

You will need to update ewido to the latest definition files:

  • On the left hand side of the main screen click update.
  • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  • Close Ewido

If you are having problems with the updater, you can use this link to manually update ewido.

Ewido manual updates

Please run HijackThis and click "Scan." Place checks next to the following entries:

  • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:80
  • O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
  • O4 - HKLM\..\Run: [internet Connection Wizard] stisvsq.exe
  • O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
  • O4 - HKLM\..\Run: [internet Mail and News] msqdevl.exe
  • O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
  • O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
  • O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
  • O4 - HKCU\..\Run: [internet Connection Wizard] stisvsq.exe
  • O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
  • O4 - HKCU\..\Run: [internet Mail and News] msqdevl.exe
  • O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
  • O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe

Close all browser and other windows except for HijackThis, and click "Fix Checked".

Next, please reboot your computer in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

http://www.pchell.com/support/safemode.shtml

Start Ewido Anti-Malware

  • Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
  • Click on Complete System Scan, the scan will now begin.
  • While the scan is in progress you will be prompted to clean files, click OK.
  • When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
  • Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
  • Click Save Report.
  • Now save the report .txt file to your desktop.
  • Close Ewido

When Ewido is finished scanning; reboot back to normal mode and run this online virus scan: ActiveScan

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
    - Enter your Country
    - Enter your State/Province
    - Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)
    - Select either Home User or Company
  • Click the big Scan Now button
  • If/when you get a notice that Panda wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop.

Post

  • The Ewido log
  • A new HijackThis log
  • Panda scan results

in your next reply here.

Link to post
Share on other sites

First of all, you will need to print out this post and/or save a copy as a text file in Notepad; that way you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix

Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.

    Under Main choose: Select All

    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All

    Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All

    Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

You will need to update ewido to the latest definition files:

  • On the left hand side of the main screen click update.

  • Then click on Start Update.

  • The update will start and a progress bar will show the updates being installed.

    (the status bar at the bottom will display "Update successful")

  • Close Ewido

If you are having problems with the updater, you can use this link to manually update ewido.

Ewido manual updates

Please run HijackThis and click "Scan." Place checks next to the following entries:

  • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:80

  • O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe

  • O4 - HKLM\..\Run: [internet Connection Wizard] stisvsq.exe

  • O4 - HKLM\..\Run: [Games Acceleration] svshost.exe

  • O4 - HKLM\..\Run: [internet Mail and News] msqdevl.exe

  • O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe

  • O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe

  • O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe

  • O4 - HKCU\..\Run: [internet Connection Wizard] stisvsq.exe

  • O4 - HKCU\..\Run: [Games Acceleration] svshost.exe

  • O4 - HKCU\..\Run: [internet Mail and News] msqdevl.exe

  • O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe

  • O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe

Close all browser and other windows except for HijackThis, and click "Fix Checked".

Next, please reboot your computer in Safe Mode by doing the following:

  • Restart your computer

  • After hearing your computer beep once during startup, but before the Windows icon appears, tap F8.

  • Instead of Windows loading as normal, a menu should appear

  • Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

http://www.pchell.com/support/safemode.shtml

Start Ewido Anti-Malware

  • Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)

  • Click on Complete System Scan, the scan will now begin.

  • While the scan is in progress you will be prompted to clean files, click OK.

  • When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.

  • Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.

  • Click Save Report.

  • Now save the report .txt file to your desktop.

  • Close Ewido

When Ewido is finished scanning; reboot back to normal mode and run this online virus scan: ActiveScan

  • Once you are on the Panda site click the Scan your PC button

  • A new window will open...click the Check Now button

    - Enter your Country

    - Enter your State/Province

    - Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)

    - Select either Home User or Company

  • Click the big Scan Now button

  • If/when you get a notice that Panda wants to install an ActiveX component allow it

  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

  • When download is complete, click on Local Disks to start the scan

  • When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop.

Post

  • The Ewido log

  • A new HijackThis log

  • Panda scan results

in your next reply here.

jwbirdsong -

THANK YOU for your time. I will try the fix tonight and let you know how it turned out. I see a glimmer of hope!

Link to post
Share on other sites

jwbirdsong -

Here's my ewido, panda, and hijackthis reports. Looks like there might still be some bad stuff in there, but here's the good news - I tried opening Explorer several times and each time my home page stayed on track on Google!!!!!!!!!!!!!!!!!! Thank you, thank you, thank you. Am I out of the woods? Do I need to get rid of anything else? One last question, how the heck did you figure out how to do all this?

---------------------------------------------------------

ewido anti-malware - Scan report

---------------------------------------------------------

+ Created on: 9:52:26 PM, 1/25/2006

+ Report-Checksum: D813ACE0

+ Scan result:

:mozilla.6:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\gkota2n8.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup

:mozilla.7:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\gkota2n8.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup

:mozilla.8:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\gkota2n8.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup

:mozilla.9:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\gkota2n8.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup

:mozilla.10:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\gkota2n8.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup

:mozilla.13:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\gkota2n8.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup

:mozilla.18:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\gkota2n8.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup

:mozilla.27:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\gkota2n8.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup

:mozilla.28:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\gkota2n8.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup

:mozilla.29:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\gkota2n8.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup

:mozilla.30:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\gkota2n8.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup

:mozilla.31:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\gkota2n8.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup

::Report End

Incident Status Location

Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Default User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-18277250-1924dfda.zip[Dummy.class]

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Default User\Cookies\owner@dist.belnk[2].txt

Virus:Trj/Zerolin.D Not disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\I3FV8CQB\main[1].chm[main.htm]

Spyware:Spyware/Petro-Line Not disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\IIF13938\enter[1].cab

Spyware:Spyware/Petro-Line Not disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\IIF13938\enter[1].cab[inst2.dll]

Spyware:Spyware/Petro-Line Not disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\IIF13938\enter[1].cab[inst2.inf]

Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-18277250-1924dfda.zip[Dummy.class]

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Owner\Cookies\owner@dist.belnk[2].txt

Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe

Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe

Potentially unwanted tool:Application/KillApp.A Not disinfected C:\hp\bin\Terminator.exe

Adware:Adware/EasySearch Not disinfected C:\WINDOWS\csrss.dll

Possible Virus. Not disinfected C:\WINDOWS\iau.exe

Adware:Adware/EasySearch Not disinfected C:\WINDOWS\lssas.exe

Adware:Adware/EasySearch Not disinfected C:\WINDOWS\mservice.exe

Possible Virus. Not disinfected C:\WINDOWS\msiau.dll

Adware:Adware/EasySearch Not disinfected C:\WINDOWS\msqdevl.exe

Adware:Adware/EasySearch Not disinfected C:\WINDOWS\smssa.dll

Adware:Adware/EasySearch Not disinfected C:\WINDOWS\stisvsq.exe

Adware:Adware/EasySearch Not disinfected C:\WINDOWS\svshost.exe

Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-18277250-1924dfda.zip[Dummy.class]

Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\owner@dist.belnk[2].txt

Virus:Trj/Zerolin.D Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I3FV8CQB\main[1].chm[main.htm]

Spyware:Spyware/Petro-Line Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IIF13938\enter[1].cab

Spyware:Spyware/Petro-Line Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IIF13938\enter[1].cab[inst2.dll]

Spyware:Spyware/Petro-Line Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IIF13938\enter[1].cab[inst2.inf]

Adware:Adware/EasySearch Not disinfected C:\WINDOWS\taskmgr.dll

Adware:Adware/EasySearch Not disinfected C:\WINDOWS\uvchost.dll

Adware:Adware/EasySearch Not disinfected C:\WINDOWS\winlogon.dll

Logfile of HijackThis v1.99.1

Scan saved at 10:27:59 PM, on 1/25/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe

C:\WINDOWS\System32\hphmon05.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\LTMSG.exe

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Steve\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [backupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Thank you again for your expertise and time!

Link to post
Share on other sites

Download KillBox http://www.downloads.subratam.org/KillBox.zip.

Place it in a folder on your Desktop.

Help with unzipping files is HERE

In the main screen of Pocket KillBox, go to Tools in the top menu bar, and select: Delete Temp Files.Use the drop down box and clear ALL profiles this way.

Back at the main Killbox screen check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Left Click and drag theh molouse over all the files listed in the quote box below. Right click and copy by select all. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINDOWS\winlogon.dll

C:\WINDOWS\uvchost.dll

C:\WINDOWS\taskmgr.dll

C:\WINDOWS\svshost.exe

C:\WINDOWS\stisvsq.exe

C:\WINDOWS\smssa.dll

C:\WINDOWS\msqdevl.exe

C:\WINDOWS\msiau.dll

C:\WINDOWS\mservice.exe

C:\WINDOWS\lssas.exe

C:\WINDOWS\iau.exe

C:\WINDOWS\csrss.dll

If you get a PendingOperations message, ignore/close it and restart your computer manually.

After a reboot post a final HijackThis log (and run Panda again IF you wish)

and post the log here along with any comments on how it's running.

If you are going to do another Panda you may wish to delete the C:\!killbox folder...less detections for it to do..(backup of everything deleted with Killbox)

Link to post
Share on other sites

jwbirdsong -

Thanks again for all the info. I ran Killbox as requested. Here's my post-Killbox HijackThis log:

Logfile of HijackThis v1.99.1

Scan saved at 10:33:55 PM, on 1/28/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\WINDOWS\System32\hphmon05.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\WINDOWS\LTMSG.exe

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Steve\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [backupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

My computer is running just fine - thanks to YOU!!!!!!!

Assuming the above HijackThis log looks O.K., it appears that the problem is solved. Thank you so much for your time!

Link to post
Share on other sites

Congratulations, your log is clean.

First, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

  • 1. Turn off System Restore.
    • On the Desktop, right-click My Computer.
      Click Properties.
      Click the System Restore tab.
      Check Turn off System Restore.
      Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.

  • On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check Turn off System Restore.
    Click Apply, and then click OK.

System Restore will now be active again.

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at link in my signature

Make SURE to read How Did I Get Infected in the First Place??

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.