Sign in to follow this  
winzlo

combo fix/internet speed monitor huge problem

Recommended Posts

WHY are you trying to use System Restore? That is not in any of the steps I have given you. Using System restore to a prior (infected) point may have just brought back all the problems we have already fixed. If anything, once we get this computer clean we will clear out all prior restore points and set a fresh new one. So please don't go trying to use System restore at this point, ok?

 

*sigh*

 

A modem is what connects your computer the internet. PCI is not malware so I don't what you have done to your connection but it probably isn't the malware problem.

 

 

sorry, it was just because i cant access the internet all of a sudden from my computer, if i was able to use system restore to go back to before the internet access problem i woulda been able to re download combofix, i wasnt able to go back at all so i didnt undo anything you've had me do...im on my step dads computer now... so what can i do? did i mention for the pci its asking me to insert a disk? which disc should i try to insert if any at all? geeze with all this stress and not knowing if my scumbag ex boss is gonna pay me or the other guy that got fired along with me over ##### n constantly getting the run around i feel like my heads gonna pop or sumthin :-/

 

i still have the exe and com fix things on my desktop and i still have hijack this in there, but the way its looking right now i wont be able access the internet to get combofix :mellow: if it wasnt for your gracious help i would be cluelessly uninstalling and reinstalling windows as i dont have a penny(actually i have negative 600 sumthin in the back from my last payroll check which bounced on me) to get a tech person out here to fix my computer :(

 

thanks again jane... on my way outta FAU this afternoon i stopped to help some black lady with a flat tire who told me i wouldnt believe how many people drove right past her(for 20 minutes in her words), guess people like you and me are rare these days, but her and i are extremely grateful :) even if my computer is doomed? lol even though its not all that funny... ill hopefully be able to check back later

Share this post


Link to post
Share on other sites

oh yeah the reason i mentioned the pci thing is because when the net connection (dsl routed from the comp im on right now) went out, now when my computer starts up it a "found new hardware wizard" gives me the options for installing software for "pci simple communications controller" and if the hardware came with a disk to insert it.... and im all like what the hell are you talking about(to the computer, not you :mellow: )

 

thanks again(see above post) and god bless

Edited by winzlo

Share this post


Link to post
Share on other sites

Ok, I see now. Well I see why you were messing with System Restore anyway. I thought you were trying to "fix the infection"

 

So you are using your step-fathers computer on your DSL connection and that is what is asking for the disk? Do you have a PCI disk that was needed when you set up your DSL? If so go ahead and try that. If still no joy you may need to call your DSL provider to find out what is needed to use another computer on your DSL line.

Share this post


Link to post
Share on other sites
Ok, I see now. Well I see why you were messing with System Restore anyway. I thought you were trying to "fix the infection"

 

So you are using your step-fathers computer on your DSL connection and that is what is asking for the disk? Do you have a PCI disk that was needed when you set up your DSL? If so go ahead and try that. If still no joy you may need to call your DSL provider to find out what is needed to use another computer on your DSL line.

 

no my step fathers computer is working fine... i tried the dsl disk once ill try again, i think its the malware that caused the whole thing, he reset the connection for me twice.... maybe i might need to uninstall and reinstall the whole dsl connection to my computer?

 

also when i search for network connections in range not only is it NOT picking up my step dads network but its not picking up ANY networks and normally it would have shown 2-3 in range at the least

 

thanks again

Share this post


Link to post
Share on other sites

ok i tried again with the dsl disk, nothing, and i obviously cant use the web to search for the software... i can however search from a list or within my computer, ideas anyone? im goin nuts here! thanks again jane

Share this post


Link to post
Share on other sites

woo hoo! got my internet working again... all i did was unplug and replug in the ethernet card... ill be back shortly on my own computer with the combofix thing thanks again!!

Share this post


Link to post
Share on other sites

ComboFix 07-12-21.4 - Owner 2007-12-21 20:12:26.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.83 [GMT -5:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\absolute key logger.lnk

C:\WINDOWS\aconti.log

C:\WINDOWS\acontidialer.txt

C:\WINDOWS\default.htm

C:\WINDOWS\system32\acespy

C:\WINDOWS\system32\acespy\__acelog.ndx

C:\WINDOWS\system32\acespy\systune.exe

C:\WINDOWS\system32\aivskurq.dll

C:\WINDOWS\system32\din.ip

C:\WINDOWS\system32\stfv.bin

 

.

((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 )))))))))))))))))))))))))))))))

.

 

2007-12-19 14:37 . 2007-12-19 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET

2007-12-19 14:16 . 2007-12-19 14:19 15,940,096 --a------ C:\eav_nt32_enu.msi

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-23 02:25 --------- d-----w C:\Program Files\DivX

2007-11-15 20:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\MegauploadToolbar

2007-11-14 20:06 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys

2007-11-14 20:04 27,656 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys

2007-11-14 20:03 33,800 ----a-w C:\WINDOWS\system32\drivers\eamon.sys

2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys

2007-11-13 06:12 --------- d-----w C:\Program Files\amsys(2)

2007-11-13 06:12 --------- d-----w C:\Program Files\akl(2)

2007-11-13 05:56 --------- d-----w C:\Program Files\Lavasoft

2007-11-13 05:56 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-11-13 05:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft

2007-11-11 10:19 --------- d-----w C:\Program Files\Plaxo

2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-10-20 00:56 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe

2007-10-20 00:56 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll

2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2007-10-20 00:56 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll

2007-10-20 00:56 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe

2007-10-20 00:56 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe

2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll

2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll

2007-10-20 00:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll

2007-10-20 00:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll

2007-10-20 00:54 739,840 ----a-w C:\WINDOWS\system32\DivX.dll

2007-10-20 00:54 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll

2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe

2007-10-18 09:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll

2007-10-18 09:03 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll

2007-10-18 09:03 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll

2007-10-18 09:03 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll

2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll

2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll

2007-10-18 09:02 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll

2006-04-22 05:15 17,765,056 ----a-w C:\Program Files\DivXBundle.exe

2006-04-22 05:06 558,749 ----a-w C:\Program Files\uTorrent-1.5-install.exe

2006-03-06 03:54 5,846,632 ----a-w C:\Program Files\winzip100.exe

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]

ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-10-03 12:56:10]

 

R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys [2007-11-14 15:04]

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-14 15:06]

R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys [2007-11-14 15:03]

R2 ekrn;Eset Service;"C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2007-11-14 15:05]

R3 AIRPLUS;D-Link AirPlus Wireless Adapter;C:\WINDOWS\system32\DRIVERS\AIRPLUS.sys [2002-10-01 06:41]

S3 EhttpSrv;Eset HTTP Server;"C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe" [2007-11-14 15:07]

 

.

Contents of the 'Scheduled Tasks' folder

"2007-12-22 01:00:00 C:\WINDOWS\Tasks\A49B1E2293088F3E.job"

- c:\docume~1\owner\applic~1\axiswa~1\Exitsecondfilm.exe

"2007-12-21 08:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"

- C:\Program Files\AdwareAlert\AdwareAlert.exe

- C:\Program Files\AdwareAlert

.

**************************************************************************

 

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-21 20:17:40

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-12-21 20:18:49

C:\ComboFix2.txt ... 2007-12-04 00:15

C:\combofixlog.txt ... 2007-12-04 03:18

.

2007-12-12 19:48:28 --- E O F ---

Share this post


Link to post
Share on other sites

ok good, making progress

 

Did you know you had 3 different keyloggers installed on that machine? Was this machine used at work and maybe your employer had them installed? Do you know what a keylogger is and does?

 

I'll come back to that depending on your answers, so let's proceed with the fix right now.

 

You've got the LOP parasite still (possibly) so lets run this special tool to look for and eliminate that

 

Download deljob.bat

http://home.hetnet.nl/~stefsmeenk/deljob.bat

and save it on your desktop.

Doubleclick deljob.bat

Copy and paste the contents of the log it creates (logit.txt, present on your desktop) in your next reply.

 

I also need to see a fresh log from HijackThis please.

Share this post


Link to post
Share on other sites

i tried, it was txt format n i was getting an error saying its not an RCF file or sumthin like that, but i tried twice, then my net went out n i had to use sys restore to what combofix i guess created today? cause all others were gone i guess we were doing things since i dont know anything about any of this... so the thing worked miserably, telling me it wasnt saved as txt when it was when i dragged n dropped, i also redownloaded the cfsscript... i gotta go maybe i did sumthin wrong in notepad?

 

geeze this sucks... is it too late for this computer jane? if not you should name yourself superjane instead of calamityjane lol thanks again

Share this post


Link to post
Share on other sites

Ok,. Whoa - slow down.

 

Look on your desktop and do you see a file called logit.txt? If so, just try to *attach* the file to a reply here.

 

Hit the "Add Reply" button and scroll down to the section that say *attachments* beneath the big white message box. There is a *browse* button to the right. Hit that and browse to the logit.txt file on your desktop. Highlight it and press *open* then hit the green *upload* button. Type a short message in the white box and then hit the "add reply" The file should be attached. Don't do anything else at the moment please.

Share this post


Link to post
Share on other sites
ok good, making progress

 

Did you know you had 3 different keyloggers installed on that machine? Was this machine used at work and maybe your employer had them installed? Do you know what a keylogger is and does?

 

I'll come back to that depending on your answers, so let's proceed with the fix right now.

 

You've got the LOP parasite still (possibly) so lets run this special tool to look for and eliminate that

 

Download deljob.bat

http://home.hetnet.nl/~stefsmeenk/deljob.bat

and save it on your desktop.

Doubleclick deljob.bat

Copy and paste the contents of the log it creates (logit.txt, present on your desktop) in your next reply.

 

I also need to see a fresh log from HijackThis please.

 

 

just saw this right now, ill try that tomorrow im about to hit the bed, ill have it done by eastern with the new hijackthis what i posted was a combofix log, im about to go read your reply to my problem trying to run combofix with the drag drop the CFSscript... after u read all of this hopefully u get back to me and tell me what to do first before i get on it tomorrow, the hijack this ill get u asap, hopefully i dont have to redownload that too... thanks again

 

ok just cheched, no logit.txt file on my desktop :-/ so as of right now ill do nothing but get you a new hijack this in the morning to early afternoon, usa eastern time, thank u so much for your patience and help u have no clue how much i appreciatte this, please let me know if theirs anything else i should do... i already removed combofix it uninstalled when i tried to run it for a third time and decided against it, so i hit 2 for abort and it removed it.... let me know what else i should do for you in the meantime hopefully u get back to me so i can do more for you when i get the new hijackthis log

 

also please link me to where i need to go n what i need to tell/show them about my probs with adaware.... im lucky when it does run, and very lucky when it finds the infections that we both know are their in massive ammounts... last time it was getting high i had to run out, told my sis fine use it DO NOT SHUT IT OFF someone in this D*mn house shut it off.... adaware had found 128 or sumthin halfway through the full scan.... which i can bet were never removed... this is the definition of a broken home so yah.... and i havent been able to get close to removing that amount of things.... it seemed that after my last scan that found nearly nothing except like 10 critical things that i removed i cant get adaware to really work for me :-/ i know me and you need to clear things out n then send it to wherever u told me about prob. 2 weeks ago n all that, i just hope your the superjane your appearing to be ;) god bless

Edited by winzlo

Share this post


Link to post
Share on other sites

winzlo,

 

I've deleted your last reply as it was sheer nonsense.

 

I don't know why you went back to ComboFix - that wasn't in my last instruction and I get the feeling you are not serious here after that last post of yours.

 

In most cases, we are able to help folks remove infection and clean their computer if they follow the steps laid out for them. In your case you are tinkering with it in between, doing things on your own, letting too much time lapse between replies, not to mention that you are letting other people use this computer throughout the whole process?

 

I don't think this is going to resolve properly with as much going on there as you have. Your best action at this point is, I recommend to give up on trying to remotely fix this and take it down to the local repair shop and let them fix it for you.

 

This isn't an Ad-Aware problem at this point. You've gotten the machine infected and we've done our best to help you with that, but you are not following good procedure here in trying to resolve that and I feel it in your best interest to seek the help of a professional there who can sit at that machine and do what needs doing with it to get it running properly.

 

Do NOT post any more replies like that last one (now deleted) and yes, this is a warning that I will not tolerate that kind of nonsense here.

Share this post


Link to post
Share on other sites
winzlo,

 

I've deleted your last reply as it was sheer nonsense.

 

I don't know why you went back to ComboFix - that wasn't in my last instruction and I get the feeling you are not serious here after that last post of yours.

 

In most cases, we are able to help folks remove infection and clean their computer if they follow the steps laid out for them. In your case you are tinkering with it in between, doing things on your own, letting too much time lapse between replies, not to mention that you are letting other people use this computer throughout the whole process?

 

I don't think this is going to resolve properly with as much going on there as you have. Your best action at this point is, I recommend to give up on trying to remotely fix this and take it down to the local repair shop and let them fix it for you.

 

This isn't an Ad-Aware problem at this point. You've gotten the machine infected and we've done our best to help you with that, but you are not following good procedure here in trying to resolve that and I feel it in your best interest to seek the help of a professional there who can sit at that machine and do what needs doing with it to get it running properly.

 

Do NOT post any more replies like that last one (now deleted) and yes, this is a warning that I will not tolerate that kind of nonsense here.

 

wish i had the money for a repair shop, i only let my sister use my computer one time, and that was it, nobody else is allowed to help me fix it, i have a million things going on right now ill be right back in a little bit with the hijack this, after posting that i will use this computer for NOTHING but this forum and your instructions.... sorry about the last post but if you google or go to youtube you can see for yourself, and i apologize for bringing that topic up, i just really appreciatte great people like you helping someone as helpless as me with this computer problem... like i said god bless cause if it wasnt for you, on my clueless own i would have no choice but to uninstall and reinstall windows, thanks again, ill be back with a hijack this log, now im going to google video cause my uncle wanted to see a history channel showing on google video, after that its a hijack this log for ya and no more messin around on the computer period until we get this fixed

 

i apologize again, u must realize i hardly know what we're doing here but i understand alot more after your last post. sorry and thanks again

Share this post


Link to post
Share on other sites

I need for you to concentrate on finishing this first if possible before you go surfing around. And try to stay up with where we are at the moment.

 

I need you to do THIS step next please.

 

Download deljob.bat

http://home.hetnet.nl/~stefsmeenk/deljob.bat

and save it on your desktop.

Doubleclick deljob.bat

Copy and paste the contents of the log it creates (logit.txt, present on your desktop) in your next reply.

 

I also need to see a fresh log from HijackThis please.

Share this post


Link to post
Share on other sites

thanks, hijack this comin right up, the link u gave me brought me to this:

 

HTTP-fout 404 Niet gevonden

Het bestand of script dat u hebt aangevraagd, is niet gevonden op de webserver. Controleer of het pad in de URL juist is.

 

Neem contact op met de beheerder van de webserver als het probleem zich blijft voordoen.

 

404 Not Found

 

The Web server cannot find the file or script you asked for. Please check the URL to ensure that the path is correct.

 

Please contact the server's administrator if this problem persists.

Share this post


Link to post
Share on other sites

here is my new hijack this, also can you be more specific about the directions if u find the right link for the link that gave me the 404 error? because you mentioned the .txt file already on my desktop n i was a little confuses here ya go jane thanks again

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:22:44 PM, on 12/23/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\internet explorer\iexplore.exe

C:\hijackthis\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: (no name) - - (no file)

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2159AC53-6EBF-40B8-AE36-CE84ECAE6D8A}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{5A17690B-9F65-4F58-80C3-B36E93AB2BCF}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\..\{2159AC53-6EBF-40B8-AE36-CE84ECAE6D8A}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

 

--

End of file - 6207 bytes

Share this post


Link to post
Share on other sites

Oops my bad on the link

 

Here is the right one:

 

http://home.hetnet.nl/~stefsmeenk/deljob.exe

 

Download Deljob.exe and save it on your desktop.

http://home.hetnet.nl/~stefsmeenk/deljob.exe

Doubleclick Deljob.exe.

In case infected, you'll get a message that "Suspicious files" are found.

When the suspicious files look similar like: B2D78CB491483981.job (random numbers and letters),

then select option 2 by typing 2 and hit enter.

 

A log, (logit.txt) should open afterwards. This log will be present on your desktop

Post the contents of the logfile in your next reply together with a new Hijackthislog.

Share this post


Link to post
Share on other sites

cool... guess ill save the first one thats still on my desktop as logitfirstone.txt? because theres already a different logit.txt on my desktop..... thanks again im gettin on it :)

Edited by winzlo

Share this post


Link to post
Share on other sites

Sounds like you already have teh file deljob.bat on your desktop?

 

If so, just run like I instructed and the file that it will produce is named: logit.txt

 

(you don't need save as anything) The log will just be there. Open logit.txt (should open with notepad) and post the contents back here

Share this post


Link to post
Share on other sites
cool... guess ill save the first one thats still on my desktop as logitfirstone.txt? because theres already a different logit.txt on my desktop..... thanks again im gettin on it :)

 

this is from deljob(and no nothing came up about suspicious files :-/ ) -

 

 

12/04/2007 12:10 AM <DIR> .

12/04/2007 12:10 AM <DIR> ..

03/01/2006 10:29 PM <DIR> acccore

05/04/2006 03:48 PM <DIR> Adobe

05/03/2007 10:26 PM <DIR> AdobeUM

06/27/2007 11:37 PM <DIR> ADWARE~1 AdwareAlert

04/09/2006 11:13 AM <DIR> Aim

07/04/2006 12:43 PM <DIR> APPLEC~1 Apple Computer

05/03/2007 10:27 PM <DIR> AXISWA~1 axis wait balm

03/28/2007 12:50 PM <DIR> DivX

11/06/2006 10:45 PM <DIR> Google

03/01/2006 10:23 PM <DIR> Help

03/01/2006 09:01 PM <DIR> IDENTI~1 Identities

11/13/2007 12:56 AM <DIR> Lavasoft

06/05/2006 04:51 PM <DIR> LEADER~1 Leadertech

03/01/2006 11:00 PM <DIR> MACROM~1 Macromedia

11/15/2007 03:01 PM <DIR> MEGAUP~1 MegauploadToolbar

08/18/2006 12:43 PM <DIR> MICROS~1 Microsoft

12/02/2007 01:04 AM <DIR> Mozilla

03/02/2006 12:26 AM <DIR> MUSICM~1 Musicmatch

08/20/2006 01:10 PM <DIR> Netscape

03/04/2006 10:30 PM <DIR> Real

07/14/2006 03:34 PM <DIR> Sonic

03/07/2006 08:21 PM <DIR> Sun

11/06/2006 03:19 AM <DIR> uTorrent

08/04/2007 01:30 PM <DIR> VIEWPO~1 Viewpoint

08/21/2006 05:32 AM <DIR> yahoo!

11/22/2006 10:37 PM <DIR> ZANGOT~1 ZangoToolbar

0 File(s) 0 bytes

28 Dir(s) 8,304,766,976 bytes free

Volume in drive C has no label.

Volume Serial Number is 80ED-5021

 

Directory of C:\Documents and Settings\All Users\Application Data

 

12/19/2007 02:37 PM <DIR> .

12/19/2007 02:37 PM <DIR> ..

05/03/2007 10:26 PM <DIR> Adobe

05/03/2007 10:26 PM <DIR> Adobe(2)

08/14/2006 10:17 PM <DIR> AOL

08/04/2007 01:03 PM <DIR> AOLDOW~1 AOL Downloads

08/04/2007 01:07 PM <DIR> AOLOCP~1 AOL OCP

05/17/2006 04:20 PM <DIR> APPLEC~1 Apple Computer

09/17/2006 12:47 PM <DIR> CanonBJ

12/19/2007 02:37 PM <DIR> ESET

05/03/2007 10:27 PM <DIR> FIVEBO~1 FiveBoneBarbLink

07/24/2007 02:52 PM <DIR> Google

06/26/2007 09:38 PM <DIR> Lavasoft

03/02/2006 11:00 AM <DIR> MICROS~1 Microsoft

08/05/2007 05:36 PM <DIR> SPYBOT~1 Spybot - Search & Destroy

08/04/2007 01:05 PM <DIR> VIEWPO~1 Viewpoint

03/02/2006 12:43 AM <DIR> WINDOW~1 Windows Genuine Advantage

11/02/2006 02:00 AM <DIR> YAHOO

08/21/2006 04:16 AM <DIR> yahoo!

0 File(s) 0 bytes

19 Dir(s) 8,304,766,976 bytes free

--------------------------------------------------------

 

 

here is my new hijack this

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:52:18 PM, on 12/23/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\hijackthis\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: (no name) - - (no file)

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2159AC53-6EBF-40B8-AE36-CE84ECAE6D8A}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{5A17690B-9F65-4F58-80C3-B36E93AB2BCF}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\..\{2159AC53-6EBF-40B8-AE36-CE84ECAE6D8A}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

 

--

End of file - 6298 bytes

 

 

if its any help, a few days ago when the net went out i tried tsk manager and every time i would shut down the process it would come right back, sometimes saw 3 in there at once, the process says ekrn.exe

 

thanks again

Share this post


Link to post
Share on other sites
Sounds like you already have teh file deljob.bat on your desktop?

 

If so, just run like I instructed and the file that it will produce is named: logit.txt

 

(you don't need save as anything) The log will just be there. Open logit.txt (should open with notepad) and post the contents back here

 

i just did along with a new hijack this :) but i dont see it in the replies... maybe u saw what u needed and deleted it so other people dont get my computer information?

Share this post


Link to post
Share on other sites
cool... guess ill save the first one thats still on my desktop as logitfirstone.txt? because theres already a different logit.txt on my desktop..... thanks again im gettin on it :)

 

this is from deljob(and no nothing came up about suspicious files :-/ ) -

 

 

12/04/2007 12:10 AM <DIR> .

12/04/2007 12:10 AM <DIR> ..

03/01/2006 10:29 PM <DIR> acccore

05/04/2006 03:48 PM <DIR> Adobe

05/03/2007 10:26 PM <DIR> AdobeUM

06/27/2007 11:37 PM <DIR> ADWARE~1 AdwareAlert

04/09/2006 11:13 AM <DIR> Aim

07/04/2006 12:43 PM <DIR> APPLEC~1 Apple Computer

05/03/2007 10:27 PM <DIR> AXISWA~1 axis wait balm

03/28/2007 12:50 PM <DIR> DivX

11/06/2006 10:45 PM <DIR> Google

03/01/2006 10:23 PM <DIR> Help

03/01/2006 09:01 PM <DIR> IDENTI~1 Identities

11/13/2007 12:56 AM <DIR> Lavasoft

06/05/2006 04:51 PM <DIR> LEADER~1 Leadertech

03/01/2006 11:00 PM <DIR> MACROM~1 Macromedia

11/15/2007 03:01 PM <DIR> MEGAUP~1 MegauploadToolbar

08/18/2006 12:43 PM <DIR> MICROS~1 Microsoft

12/02/2007 01:04 AM <DIR> Mozilla

03/02/2006 12:26 AM <DIR> MUSICM~1 Musicmatch

08/20/2006 01:10 PM <DIR> Netscape

03/04/2006 10:30 PM <DIR> Real

07/14/2006 03:34 PM <DIR> Sonic

03/07/2006 08:21 PM <DIR> Sun

11/06/2006 03:19 AM <DIR> uTorrent

08/04/2007 01:30 PM <DIR> VIEWPO~1 Viewpoint

08/21/2006 05:32 AM <DIR> yahoo!

11/22/2006 10:37 PM <DIR> ZANGOT~1 ZangoToolbar

0 File(s) 0 bytes

28 Dir(s) 8,304,766,976 bytes free

Volume in drive C has no label.

Volume Serial Number is 80ED-5021

 

Directory of C:\Documents and Settings\All Users\Application Data

 

12/19/2007 02:37 PM <DIR> .

12/19/2007 02:37 PM <DIR> ..

05/03/2007 10:26 PM <DIR> Adobe

05/03/2007 10:26 PM <DIR> Adobe(2)

08/14/2006 10:17 PM <DIR> AOL

08/04/2007 01:03 PM <DIR> AOLDOW~1 AOL Downloads

08/04/2007 01:07 PM <DIR> AOLOCP~1 AOL OCP

05/17/2006 04:20 PM <DIR> APPLEC~1 Apple Computer

09/17/2006 12:47 PM <DIR> CanonBJ

12/19/2007 02:37 PM <DIR> ESET

05/03/2007 10:27 PM <DIR> FIVEBO~1 FiveBoneBarbLink

07/24/2007 02:52 PM <DIR> Google

06/26/2007 09:38 PM <DIR> Lavasoft

03/02/2006 11:00 AM <DIR> MICROS~1 Microsoft

08/05/2007 05:36 PM <DIR> SPYBOT~1 Spybot - Search & Destroy

08/04/2007 01:05 PM <DIR> VIEWPO~1 Viewpoint

03/02/2006 12:43 AM <DIR> WINDOW~1 Windows Genuine Advantage

11/02/2006 02:00 AM <DIR> YAHOO

08/21/2006 04:16 AM <DIR> yahoo!

0 File(s) 0 bytes

19 Dir(s) 8,304,766,976 bytes free

--------------------------------------------------------

 

 

here is my new hijack this

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:52:18 PM, on 12/23/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\hijackthis\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: (no name) - - (no file)

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2159AC53-6EBF-40B8-AE36-CE84ECAE6D8A}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{5A17690B-9F65-4F58-80C3-B36E93AB2BCF}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\..\{2159AC53-6EBF-40B8-AE36-CE84ECAE6D8A}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

 

--

End of file - 6298 bytes

 

 

if its any help, a few days ago when the net went out i tried tsk manager and every time i would shut down the process it would come right back, sometimes saw 3 in there at once, the process says ekrn.exe

 

thanks again

 

thinkin maybe when i hit reply it never went through here it is, i thank IE for the back button lol

Share this post


Link to post
Share on other sites

it was there n now its there twice lol sorry here it all is -

 

this is from deljob(and no nothing came up about suspicious files :-/ ) -

 

 

12/04/2007 12:10 AM <DIR> .

12/04/2007 12:10 AM <DIR> ..

03/01/2006 10:29 PM <DIR> acccore

05/04/2006 03:48 PM <DIR> Adobe

05/03/2007 10:26 PM <DIR> AdobeUM

06/27/2007 11:37 PM <DIR> ADWARE~1 AdwareAlert

04/09/2006 11:13 AM <DIR> Aim

07/04/2006 12:43 PM <DIR> APPLEC~1 Apple Computer

05/03/2007 10:27 PM <DIR> AXISWA~1 axis wait balm

03/28/2007 12:50 PM <DIR> DivX

11/06/2006 10:45 PM <DIR> Google

03/01/2006 10:23 PM <DIR> Help

03/01/2006 09:01 PM <DIR> IDENTI~1 Identities

11/13/2007 12:56 AM <DIR> Lavasoft

06/05/2006 04:51 PM <DIR> LEADER~1 Leadertech

03/01/2006 11:00 PM <DIR> MACROM~1 Macromedia

11/15/2007 03:01 PM <DIR> MEGAUP~1 MegauploadToolbar

08/18/2006 12:43 PM <DIR> MICROS~1 Microsoft

12/02/2007 01:04 AM <DIR> Mozilla

03/02/2006 12:26 AM <DIR> MUSICM~1 Musicmatch

08/20/2006 01:10 PM <DIR> Netscape

03/04/2006 10:30 PM <DIR> Real

07/14/2006 03:34 PM <DIR> Sonic

03/07/2006 08:21 PM <DIR> Sun

11/06/2006 03:19 AM <DIR> uTorrent

08/04/2007 01:30 PM <DIR> VIEWPO~1 Viewpoint

08/21/2006 05:32 AM <DIR> yahoo!

11/22/2006 10:37 PM <DIR> ZANGOT~1 ZangoToolbar

0 File(s) 0 bytes

28 Dir(s) 8,304,766,976 bytes free

Volume in drive C has no label.

Volume Serial Number is 80ED-5021

 

Directory of C:\Documents and Settings\All Users\Application Data

 

12/19/2007 02:37 PM <DIR> .

12/19/2007 02:37 PM <DIR> ..

05/03/2007 10:26 PM <DIR> Adobe

05/03/2007 10:26 PM <DIR> Adobe(2)

08/14/2006 10:17 PM <DIR> AOL

08/04/2007 01:03 PM <DIR> AOLDOW~1 AOL Downloads

08/04/2007 01:07 PM <DIR> AOLOCP~1 AOL OCP

05/17/2006 04:20 PM <DIR> APPLEC~1 Apple Computer

09/17/2006 12:47 PM <DIR> CanonBJ

12/19/2007 02:37 PM <DIR> ESET

05/03/2007 10:27 PM <DIR> FIVEBO~1 FiveBoneBarbLink

07/24/2007 02:52 PM <DIR> Google

06/26/2007 09:38 PM <DIR> Lavasoft

03/02/2006 11:00 AM <DIR> MICROS~1 Microsoft

08/05/2007 05:36 PM <DIR> SPYBOT~1 Spybot - Search & Destroy

08/04/2007 01:05 PM <DIR> VIEWPO~1 Viewpoint

03/02/2006 12:43 AM <DIR> WINDOW~1 Windows Genuine Advantage

11/02/2006 02:00 AM <DIR> YAHOO

08/21/2006 04:16 AM <DIR> yahoo!

0 File(s) 0 bytes

19 Dir(s) 8,304,766,976 bytes free

--------------------------------------------------------

 

 

here is my new hijack this

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:52:18 PM, on 12/23/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\hijackthis\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: (no name) - - (no file)

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2159AC53-6EBF-40B8-AE36-CE84ECAE6D8A}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{5A17690B-9F65-4F58-80C3-B36E93AB2BCF}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\..\{2159AC53-6EBF-40B8-AE36-CE84ECAE6D8A}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

 

--

End of file - 6298 bytes

 

 

if its any help, a few days ago when the net went out i tried tsk manager and every time i would shut down the process it would come right back, sometimes saw 3 in there at once, the process says ekrn.exe

 

thanks again

 

thinkin maybe when i hit reply it never went through here it is, i thank IE for the back button lol

Share this post


Link to post
Share on other sites

sorry the deljob was copied n pasted wrong, the hijack this shoulda been copied n pasted right.... here is the full from the deljob notepad file

 

--------------------------------------------------------

File(s) moved to C:\deljob

 

A49B1E2293088F3E.job

--------------------------------------------------------

Files remaining after cleaning

 

AdwareAlert Scheduled Scan.job

--------------------------------------------------------

App data folders

 

Volume in drive C has no label.

Volume Serial Number is 80ED-5021

 

Directory of C:\Documents and Settings\Owner\Application Data

 

12/04/2007 12:10 AM <DIR> .

12/04/2007 12:10 AM <DIR> ..

03/01/2006 10:29 PM <DIR> acccore

05/04/2006 03:48 PM <DIR> Adobe

05/03/2007 10:26 PM <DIR> AdobeUM

06/27/2007 11:37 PM <DIR> ADWARE~1 AdwareAlert

04/09/2006 11:13 AM <DIR> Aim

07/04/2006 12:43 PM <DIR> APPLEC~1 Apple Computer

05/03/2007 10:27 PM <DIR> AXISWA~1 axis wait balm

03/28/2007 12:50 PM <DIR> DivX

11/06/2006 10:45 PM <DIR> Google

03/01/2006 10:23 PM <DIR> Help

03/01/2006 09:01 PM <DIR> IDENTI~1 Identities

11/13/2007 12:56 AM <DIR> Lavasoft

06/05/2006 04:51 PM <DIR> LEADER~1 Leadertech

03/01/2006 11:00 PM <DIR> MACROM~1 Macromedia

11/15/2007 03:01 PM <DIR> MEGAUP~1 MegauploadToolbar

08/18/2006 12:43 PM <DIR> MICROS~1 Microsoft

12/02/2007 01:04 AM <DIR> Mozilla

03/02/2006 12:26 AM <DIR> MUSICM~1 Musicmatch

08/20/2006 01:10 PM <DIR> Netscape

03/04/2006 10:30 PM <DIR> Real

07/14/2006 03:34 PM <DIR> Sonic

03/07/2006 08:21 PM <DIR> Sun

11/06/2006 03:19 AM <DIR> uTorrent

08/04/2007 01:30 PM <DIR> VIEWPO~1 Viewpoint

08/21/2006 05:32 AM <DIR> yahoo!

11/22/2006 10:37 PM <DIR> ZANGOT~1 ZangoToolbar

0 File(s) 0 bytes

28 Dir(s) 8,304,766,976 bytes free

Volume in drive C has no label.

Volume Serial Number is 80ED-5021

 

Directory of C:\Documents and Settings\All Users\Application Data

 

12/19/2007 02:37 PM <DIR> .

12/19/2007 02:37 PM <DIR> ..

05/03/2007 10:26 PM <DIR> Adobe

05/03/2007 10:26 PM <DIR> Adobe(2)

08/14/2006 10:17 PM <DIR> AOL

08/04/2007 01:03 PM <DIR> AOLDOW~1 AOL Downloads

08/04/2007 01:07 PM <DIR> AOLOCP~1 AOL OCP

05/17/2006 04:20 PM <DIR> APPLEC~1 Apple Computer

09/17/2006 12:47 PM <DIR> CanonBJ

12/19/2007 02:37 PM <DIR> ESET

05/03/2007 10:27 PM <DIR> FIVEBO~1 FiveBoneBarbLink

07/24/2007 02:52 PM <DIR> Google

06/26/2007 09:38 PM <DIR> Lavasoft

03/02/2006 11:00 AM <DIR> MICROS~1 Microsoft

08/05/2007 05:36 PM <DIR> SPYBOT~1 Spybot - Search & Destroy

08/04/2007 01:05 PM <DIR> VIEWPO~1 Viewpoint

03/02/2006 12:43 AM <DIR> WINDOW~1 Windows Genuine Advantage

11/02/2006 02:00 AM <DIR> YAHOO

08/21/2006 04:16 AM <DIR> yahoo!

0 File(s) 0 bytes

19 Dir(s) 8,304,766,976 bytes free

--------------------------------------------------------

Share this post


Link to post
Share on other sites

crap wasnt i supposed to attach a file??? im sorry jane i have so much crap goin on right now i cant even fall asleep half the time

 

thanks again for your help and patience... i hope your christmas is a great one

Share this post


Link to post
Share on other sites
Sign in to follow this