• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Pulsar

"topotun.com" Won't Let Me Go

12 posts in this topic

Hello Forum,

 

I've got a browser hijacker that has been resistant to the normal fix procedures (unless I'm forgetting something that's pretty basic). Here are my HJT log and my start-up list---have at 'em!

 

Thanks a lot,

 

Pulsar

 

Logfile of HijackThis v1.97.7

Scan saved at 11:43:03 AM, on 6/12/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\atiptaxx.exe

C:\WINNT\System32\SK9910DM.EXE

C:\WINNT\GWMDMMSG.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINNT\System32\devldr32.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\WINNT\Cyb2k.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINNT\Sys32Smm.exe

C:\Program Files\Washer\washer.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe

C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\System32\CTsvcCDA.exe

C:\PROGRA~1\Iomega\System32\ActivityDisk.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://topotun.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://topotun.com/index.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://topotun.com/index.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank

O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62} - C:\PROGRA~1\ANONYM~1\ANONYM~1.DLL

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [C2K] C:\WINNT\Cyb2k.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spyProtection] C:\Program Files\Webroot\Spy Protection\SpyProtection.exe /0

O4 - HKCU\..\Run: [MutexServiceEx] Sys32Smm.exe /run

O4 - HKCU\..\Run: [PicoZip] C:\PROGRA~1\PicoZip\PicoZipTray.exe

O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0

O4 - HKCU\..\Run: [msmc] C:\WINNT\System32\msmc.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

O4 - Global Startup: winlgn.exe

O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000

O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew

O9 - Extra button: Yahoo! Login (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)

O9 - Extra button: Anonymizer (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud14.sports.sc5.yahoo.com/java/y/nflgcst1010_x.cab

O16 - DPF: Yahoo! NFL StatTracker - http://aud10.sports.yahoo.com/java/y/nflst8252_x.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/PEInstaller.exe

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7732.9287268519

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

 

 

StartupList report, 6/12/2004, 3:49:11 PM

StartupList version: 1.52

Started from : C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.EXE

Detected: Windows XP (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 (6.00.2600.0000)

* Using default options

==================================================

 

Running processes:

 

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\atiptaxx.exe

C:\WINNT\System32\SK9910DM.EXE

C:\WINNT\System32\devldr32.exe

C:\WINNT\GWMDMMSG.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\WINNT\Cyb2k.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINNT\Sys32Smm.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe

C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\System32\CTsvcCDA.exe

C:\PROGRA~1\Iomega\System32\ActivityDisk.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINNT\System32\wuauclt.exe

C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.exe

C:\WINNT\notepad.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Adobe Gamma Loader.lnk = ?

Billminder.lnk = C:\Program Files\Quicken\billmind.exe

QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

winlgn.exe

ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINNT\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

ATIModeChange = Ati2mdxx.exe

AtiPTA = atiptaxx.exe

Hot Key Kbd 9910 Daemon = SK9910DM.EXE

GWMDMMSG = GWMDMMSG.exe

Keyboard Preload Check = C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

GWMDMpi = C:\WINNT\GWMDMpi.exe

AdaptecDirectCD = C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

Iomega Startup Options = C:\Program Files\Iomega\Common\ImgStart.exe

Iomega Drive Icons = C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C2K = C:\WINNT\Cyb2k.exe

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

MediaFace Integration = C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe

QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

washindex = C:\Program Files\Washer\washidx.exe "Home"

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

SpyProtection = C:\Program Files\Webroot\Spy Protection\SpyProtection.exe /0

MutexServiceEx = Sys32Smm.exe /run

PicoZip = C:\PROGRA~1\PicoZip\PicoZipTray.exe

msmc = C:\WINNT\System32\msmc.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

washindex = C:\Program Files\Washer\washidx.exe

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINNT\System32\ssstars.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll - {02478D28-C3F9-4efb-9B51-7695ECA05670}

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - C:\PROGRA~1\ANONYM~1\ANONYM~1.DLL - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62}

NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

ISP signup reminder 1.job

ISP signup reminder 3.job

Symantec NetDetect.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[YInstStarter Class]

InProcServer32 = C:\Program Files\Yahoo!\common\yinsthelper.dll

CODEBASE = C:\Program Files\Yahoo!\common\yinsthelper.dll

 

[{41F17733-B041-4099-A042-B518BB6A408C}]

CODEBASE = http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe

 

[RunExeActiveX.RunExe]

InProcServer32 = C:\WINNT\Downloaded Program Files\RunExeActiveX.ocx

CODEBASE = hcp://system/RunExeActiveX.CAB

 

[{78A730D4-0DF3-4B65-8DD2-BFCD433CEE30}]

CODEBASE = http://www.surfsecret.com/inst/PEInstaller.exe

 

[startFirstControl.CheckFirst]

InProcServer32 = C:\WINNT\Downloaded Program Files\StartFirstControl.ocx

CODEBASE = hcp://system/StartFirstControl.CAB

 

[RegConfig Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\yregcfg.dll

CODEBASE = http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab

 

[update Class]

InProcServer32 = C:\WINNT\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7732.9287268519

 

[shockwave Flash Object]

InProcServer32 = C:\WINNT\System32\Macromed\Flash\FLASH.OCX

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

[iTunesDetector Class]

InProcServer32 = C:\Program Files\iTunes\ITDetector.ocx

CODEBASE = http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

 

--------------------------------------------------

 

Enumerating Winsock LSP files:

 

Protocol #1: C:\WINNT\System32\lspcs.dll

Protocol #2: C:\WINNT\System32\lspcs.dll

Protocol #3: C:\WINNT\System32\lspcs.dll

Protocol #4: C:\WINNT\System32\lspcs.dll

Protocol #5: C:\WINNT\System32\lspcs.dll

Protocol #6: C:\WINNT\System32\lspcs.dll

Protocol #7: C:\WINNT\System32\lspcs.dll

Protocol #8: C:\WINNT\System32\lspcs.dll

Protocol #9: C:\WINNT\System32\lspcs.dll

Protocol #10: C:\WINNT\System32\lspcs.dll

Protocol #11: C:\WINNT\System32\lspcs.dll

Protocol #12: C:\WINNT\System32\lspcs.dll

Protocol #13: C:\WINNT\System32\lspcs.dll

Protocol #14: C:\WINNT\System32\lspcs.dll

Protocol #15: C:\WINNT\System32\lspcs.dll

Protocol #16: C:\WINNT\System32\lspcs.dll

Protocol #17: C:\WINNT\System32\lspcs.dll

Protocol #18: C:\WINNT\System32\lspcs.dll

Protocol #19: C:\WINNT\System32\lspcs.dll

Protocol #39: C:\WINNT\System32\lspcs.dll

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINNT\system32\SHELL32.dll

CDBurn: C:\WINNT\system32\SHELL32.dll

WebCheck: C:\WINNT\System32\webcheck.dll

SysTray: C:\WINNT\System32\stobject.dll

 

--------------------------------------------------

End of report, 9,036 bytes

Report generated in 0.090 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Share this post


Link to post
Share on other sites

Download and run CWShredder from my signature by clicking the fix button.

 

Reboot, rescan with HJT and post a fresh log here.

Share this post


Link to post
Share on other sites

Dolphins,

 

Here are the fresh logs per your request---thanks for the timely response. The CWS report said that 5 registry entries were fixed, but as you can see, the problem still exists. Incidentally, I noticed that during my machine's shutdown, I got a message that a program called "Win Min" was ending with a status bar. When the bar finished running, I got another message saying that "Win Min" was not responding---I had to click an "End Now" button to complete the shutdown phase of the reboot. Does this mean anything to you?

 

Thanks again!

 

Pulsar

 

Logfile of HijackThis v1.97.7

Scan saved at 6:07:06 PM, on 6/12/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\atiptaxx.exe

C:\WINNT\System32\SK9910DM.EXE

C:\WINNT\GWMDMMSG.exe

C:\WINNT\System32\devldr32.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\WINNT\Cyb2k.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINNT\Sys32Smm.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe

C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\System32\CTsvcCDA.exe

C:\PROGRA~1\Iomega\System32\ActivityDisk.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://topotun.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://topotun.com/index.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://topotun.com/index.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank

O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62} - C:\PROGRA~1\ANONYM~1\ANONYM~1.DLL

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [C2K] C:\WINNT\Cyb2k.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spyProtection] C:\Program Files\Webroot\Spy Protection\SpyProtection.exe /0

O4 - HKCU\..\Run: [MutexServiceEx] Sys32Smm.exe /run

O4 - HKCU\..\Run: [PicoZip] C:\PROGRA~1\PicoZip\PicoZipTray.exe

O4 - HKCU\..\Run: [msmc] C:\WINNT\System32\msmc.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

O4 - Global Startup: winlgn.exe

O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000

O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew

O9 - Extra button: Yahoo! Login (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)

O9 - Extra button: Anonymizer (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud14.sports.sc5.yahoo.com/java/y/nflgcst1010_x.cab

O16 - DPF: Yahoo! NFL StatTracker - http://aud10.sports.yahoo.com/java/y/nflst8252_x.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/PEInstaller.exe

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7732.9287268519

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

 

 

StartupList report, 6/12/2004, 6:07:26 PM

StartupList version: 1.52

Started from : C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.EXE

Detected: Windows XP (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 (6.00.2600.0000)

* Using default options

==================================================

 

Running processes:

 

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\atiptaxx.exe

C:\WINNT\System32\SK9910DM.EXE

C:\WINNT\GWMDMMSG.exe

C:\WINNT\System32\devldr32.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\WINNT\Cyb2k.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINNT\Sys32Smm.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe

C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\System32\CTsvcCDA.exe

C:\PROGRA~1\Iomega\System32\ActivityDisk.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.exe

C:\WINNT\notepad.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Adobe Gamma Loader.lnk = ?

Billminder.lnk = C:\Program Files\Quicken\billmind.exe

QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

winlgn.exe

ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINNT\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

ATIModeChange = Ati2mdxx.exe

AtiPTA = atiptaxx.exe

Hot Key Kbd 9910 Daemon = SK9910DM.EXE

GWMDMMSG = GWMDMMSG.exe

Keyboard Preload Check = C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

GWMDMpi = C:\WINNT\GWMDMpi.exe

AdaptecDirectCD = C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

Iomega Startup Options = C:\Program Files\Iomega\Common\ImgStart.exe

Iomega Drive Icons = C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C2K = C:\WINNT\Cyb2k.exe

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

MediaFace Integration = C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe

QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

washindex = C:\Program Files\Washer\washidx.exe "Home"

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

SpyProtection = C:\Program Files\Webroot\Spy Protection\SpyProtection.exe /0

MutexServiceEx = Sys32Smm.exe /run

PicoZip = C:\PROGRA~1\PicoZip\PicoZipTray.exe

msmc = C:\WINNT\System32\msmc.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

washindex = C:\Program Files\Washer\washidx.exe

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINNT\System32\ssstars.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll - {02478D28-C3F9-4efb-9B51-7695ECA05670}

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - C:\PROGRA~1\ANONYM~1\ANONYM~1.DLL - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62}

NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

ISP signup reminder 1.job

ISP signup reminder 3.job

Symantec NetDetect.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[YInstStarter Class]

InProcServer32 = C:\Program Files\Yahoo!\common\yinsthelper.dll

CODEBASE = C:\Program Files\Yahoo!\common\yinsthelper.dll

 

[{41F17733-B041-4099-A042-B518BB6A408C}]

CODEBASE = http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe

 

[RunExeActiveX.RunExe]

InProcServer32 = C:\WINNT\Downloaded Program Files\RunExeActiveX.ocx

CODEBASE = hcp://system/RunExeActiveX.CAB

 

[{78A730D4-0DF3-4B65-8DD2-BFCD433CEE30}]

CODEBASE = http://www.surfsecret.com/inst/PEInstaller.exe

 

[startFirstControl.CheckFirst]

InProcServer32 = C:\WINNT\Downloaded Program Files\StartFirstControl.ocx

CODEBASE = hcp://system/StartFirstControl.CAB

 

[RegConfig Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\yregcfg.dll

CODEBASE = http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab

 

[update Class]

InProcServer32 = C:\WINNT\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7732.9287268519

 

[shockwave Flash Object]

InProcServer32 = C:\WINNT\System32\Macromed\Flash\FLASH.OCX

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

[iTunesDetector Class]

InProcServer32 = C:\Program Files\iTunes\ITDetector.ocx

CODEBASE = http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

 

--------------------------------------------------

 

Enumerating Winsock LSP files:

 

Protocol #1: C:\WINNT\System32\lspcs.dll

Protocol #2: C:\WINNT\System32\lspcs.dll

Protocol #3: C:\WINNT\System32\lspcs.dll

Protocol #4: C:\WINNT\System32\lspcs.dll

Protocol #5: C:\WINNT\System32\lspcs.dll

Protocol #6: C:\WINNT\System32\lspcs.dll

Protocol #7: C:\WINNT\System32\lspcs.dll

Protocol #8: C:\WINNT\System32\lspcs.dll

Protocol #9: C:\WINNT\System32\lspcs.dll

Protocol #10: C:\WINNT\System32\lspcs.dll

Protocol #11: C:\WINNT\System32\lspcs.dll

Protocol #12: C:\WINNT\System32\lspcs.dll

Protocol #13: C:\WINNT\System32\lspcs.dll

Protocol #14: C:\WINNT\System32\lspcs.dll

Protocol #15: C:\WINNT\System32\lspcs.dll

Protocol #16: C:\WINNT\System32\lspcs.dll

Protocol #17: C:\WINNT\System32\lspcs.dll

Protocol #18: C:\WINNT\System32\lspcs.dll

Protocol #19: C:\WINNT\System32\lspcs.dll

Protocol #39: C:\WINNT\System32\lspcs.dll

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINNT\system32\SHELL32.dll

CDBurn: C:\WINNT\system32\SHELL32.dll

WebCheck: C:\WINNT\System32\webcheck.dll

SysTray: C:\WINNT\System32\stobject.dll

 

--------------------------------------------------

End of report, 9,005 bytes

Report generated in 0.100 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Share this post


Link to post
Share on other sites

Yes, unfortunately "Win Min" does mean something among the other problems you have here.

 

So lets start with Updating all windows patches from HERE then Disable System Restore, then an AV Online Scan and an Online Trojan Scan, remove what they find.

 

Next, Check the following in HJT with all windows closed and remove them:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://topotun.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://topotun.com/index.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://topotun.com/index.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank

 

O4 - HKCU\..\Run: [MutexServiceEx] Sys32Smm.exe /run

O4 - HKCU\..\Run: [msmc] C:\WINNT\System32\msmc.exe

O4 - Global Startup: winlgn.exe

 

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

 

Show Hidden files, Boot into Safe Mode, navagate to the following files and delete them,

 

C:\WINNT\System32\msmc.exe

C:\WINNT\Sys32Smm.exe

 

Boot to normal mode, re-enable System restore, rescan with HJT and post a new log here.

Share this post


Link to post
Share on other sites

Dolphins,

 

Tried to execute your instructions, but I was met by stiff resistance---please note:

 

1. For some reason, I couldn't download any Windows patches. Every time I clicked the "Update" button, the same "Download Updates" page kept reappearing with no evidence that I had downloaded anything.

 

2. The AV Online Scan found 9 un-repairable files that I was able to fix (delete).

 

3. The Online Trojan Scan revealed the following once my firewall was disabled:

 

Service Ports Status Possible Trojans

Trojan 5000 OPEN Bubbel, Back Door Setup, Sockets de Troire

 

However, the site gave no instructions for addressing this find.

 

4. The HJT scan couldn't delete " 04 - Global Startup: winlgn.exe ". A message said to shut the program down by using the Task Manager, and then use HJT to delete the file. Before I comply to this instruction, I want to bounce it off of you to make sure that this is the right thing to do.

 

Here are the latest logs-----where do we go from here?

 

Pulsar

 

 

Logfile of HijackThis v1.97.7

Scan saved at 2:16:32 AM, on 6/13/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\atiptaxx.exe

C:\WINNT\System32\SK9910DM.EXE

C:\WINNT\GWMDMMSG.exe

C:\WINNT\System32\devldr32.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\WINNT\Cyb2k.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe

C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\System32\CTsvcCDA.exe

C:\PROGRA~1\Iomega\System32\ActivityDisk.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINNT\System32\wuauclt.exe

C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://topotun.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://topotun.com/index.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://topotun.com/index.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm

O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62} - C:\PROGRA~1\ANONYM~1\ANONYM~1.DLL

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [C2K] C:\WINNT\Cyb2k.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spyProtection] C:\Program Files\Webroot\Spy Protection\SpyProtection.exe /0

O4 - HKCU\..\Run: [PicoZip] C:\PROGRA~1\PicoZip\PicoZipTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

O4 - Global Startup: winlgn.exe

O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000

O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew

O9 - Extra button: Yahoo! Login (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)

O9 - Extra button: Anonymizer (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud14.sports.sc5.yahoo.com/java/y/nflgcst1010_x.cab

O16 - DPF: Yahoo! NFL StatTracker - http://aud10.sports.yahoo.com/java/y/nflst8252_x.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/PEInstaller.exe

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7732.9287268519

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E180430C-38A8-47DA-9DBE-176BFF169CDE}: NameServer = 206.13.29.12 206.13.30.12

 

 

StartupList report, 6/13/2004, 2:16:41 AM

StartupList version: 1.52

Started from : C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.EXE

Detected: Windows XP (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 (6.00.2600.0000)

* Using default options

==================================================

 

Running processes:

 

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\atiptaxx.exe

C:\WINNT\System32\SK9910DM.EXE

C:\WINNT\GWMDMMSG.exe

C:\WINNT\System32\devldr32.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\WINNT\Cyb2k.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe

C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\System32\CTsvcCDA.exe

C:\PROGRA~1\Iomega\System32\ActivityDisk.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINNT\System32\wuauclt.exe

C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.exe

C:\WINNT\notepad.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Adobe Gamma Loader.lnk = ?

Billminder.lnk = C:\Program Files\Quicken\billmind.exe

QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

winlgn.exe

ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINNT\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

ATIModeChange = Ati2mdxx.exe

AtiPTA = atiptaxx.exe

Hot Key Kbd 9910 Daemon = SK9910DM.EXE

GWMDMMSG = GWMDMMSG.exe

Keyboard Preload Check = C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

GWMDMpi = C:\WINNT\GWMDMpi.exe

AdaptecDirectCD = C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

Iomega Startup Options = C:\Program Files\Iomega\Common\ImgStart.exe

Iomega Drive Icons = C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C2K = C:\WINNT\Cyb2k.exe

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

MediaFace Integration = C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe

iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe

QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

washindex = C:\Program Files\Washer\washidx.exe "Home"

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

SpyProtection = C:\Program Files\Webroot\Spy Protection\SpyProtection.exe /0

PicoZip = C:\PROGRA~1\PicoZip\PicoZipTray.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

washindex = C:\Program Files\Washer\washidx.exe

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINNT\System32\ssstars.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll - {02478D28-C3F9-4efb-9B51-7695ECA05670}

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - C:\PROGRA~1\ANONYM~1\ANONYM~1.DLL - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62}

NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

ISP signup reminder 1.job

ISP signup reminder 3.job

Symantec NetDetect.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[YInstStarter Class]

InProcServer32 = C:\Program Files\Yahoo!\common\yinsthelper.dll

CODEBASE = C:\Program Files\Yahoo!\common\yinsthelper.dll

 

[{41F17733-B041-4099-A042-B518BB6A408C}]

CODEBASE = http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe

 

[HouseCall Control]

InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx

CODEBASE = http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

 

[{78A730D4-0DF3-4B65-8DD2-BFCD433CEE30}]

CODEBASE = http://www.surfsecret.com/inst/PEInstaller.exe

 

[startFirstControl.CheckFirst]

InProcServer32 = C:\WINNT\Downloaded Program Files\StartFirstControl.ocx

CODEBASE = hcp://system/StartFirstControl.CAB

 

[RegConfig Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\yregcfg.dll

CODEBASE = http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab

 

[update Class]

InProcServer32 = C:\WINNT\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7732.9287268519

 

[shockwave Flash Object]

InProcServer32 = C:\WINNT\System32\Macromed\Flash\FLASH.OCX

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

[iTunesDetector Class]

InProcServer32 = C:\Program Files\iTunes\ITDetector.ocx

CODEBASE = http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

 

--------------------------------------------------

 

Enumerating Winsock LSP files:

 

Protocol #1: C:\WINNT\System32\lspcs.dll

Protocol #2: C:\WINNT\System32\lspcs.dll

Protocol #3: C:\WINNT\System32\lspcs.dll

Protocol #4: C:\WINNT\System32\lspcs.dll

Protocol #5: C:\WINNT\System32\lspcs.dll

Protocol #6: C:\WINNT\System32\lspcs.dll

Protocol #7: C:\WINNT\System32\lspcs.dll

Protocol #8: C:\WINNT\System32\lspcs.dll

Protocol #9: C:\WINNT\System32\lspcs.dll

Protocol #10: C:\WINNT\System32\lspcs.dll

Protocol #11: C:\WINNT\System32\lspcs.dll

Protocol #12: C:\WINNT\System32\lspcs.dll

Protocol #13: C:\WINNT\System32\lspcs.dll

Protocol #14: C:\WINNT\System32\lspcs.dll

Protocol #15: C:\WINNT\System32\lspcs.dll

Protocol #16: C:\WINNT\System32\lspcs.dll

Protocol #17: C:\WINNT\System32\lspcs.dll

Protocol #18: C:\WINNT\System32\lspcs.dll

Protocol #19: C:\WINNT\System32\lspcs.dll

Protocol #39: C:\WINNT\System32\lspcs.dll

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINNT\system32\SHELL32.dll

CDBurn: C:\WINNT\system32\SHELL32.dll

WebCheck: C:\WINNT\System32\webcheck.dll

SysTray: C:\WINNT\System32\stobject.dll

 

--------------------------------------------------

End of report, 9,028 bytes

Report generated in 0.091 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Share this post


Link to post
Share on other sites

Download Unplug n' Pray to disable UPnP.

 

Disconnect from the internet, boot into safe mode, Ctrl/Alt/Del and make sure nothing is running except for "explorer" and "Systray" run CWShredder and then HJT, remove the the items mentioned in earlier post.

 

While still in safe mode, show hidden files, search for and delete winlgn.exe.

 

Boot back to normal mode, connect to the internet, rescan with HJT and post a fresh log here.

Share this post


Link to post
Share on other sites

Dolphins,

 

I've got control of my browser again---thanks! The latest logs are posted. I had to restore some of the items you told me to fix as they seemed to belong to legit programs I have running (I had to re-install one of them after fixing)----if you still have reservations about anything that is still in my logs, let me know.

 

Thanks again!!

 

Pulsar

 

Logfile of HijackThis v1.97.7

Scan saved at 12:29:44 AM, on 6/14/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\atiptaxx.exe

C:\WINNT\System32\SK9910DM.EXE

C:\WINNT\GWMDMMSG.exe

C:\WINNT\System32\devldr32.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\WINNT\Cyb2k.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINNT\Sys32Smm.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\System32\CTsvcCDA.exe

C:\PROGRA~1\Iomega\System32\ActivityDisk.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINNT\System32\wuauclt.exe

C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62} - C:\PROGRA~1\ANONYM~1\ANONYM~1.DLL

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [C2K] C:\WINNT\Cyb2k.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spyProtection] C:\Program Files\Webroot\Spy Protection\SpyProtection.exe /0

O4 - HKCU\..\Run: [PicoZip] C:\PROGRA~1\PicoZip\PicoZipTray.exe

O4 - HKCU\..\Run: [MutexServiceEx] Sys32Smm.exe /run

O4 - Global Startup: Adobe Gamma Loader.lnk = ?

O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000

O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew

O9 - Extra button: Yahoo! Login (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)

O9 - Extra button: Anonymizer (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud14.sports.sc5.yahoo.com/java/y/nflgcst1010_x.cab

O16 - DPF: Yahoo! NFL StatTracker - http://aud10.sports.yahoo.com/java/y/nflst8252_x.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/PEInstaller.exe

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7732.9287268519

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E180430C-38A8-47DA-9DBE-176BFF169CDE}: NameServer = 206.13.29.12 206.13.30.12

 

 

StartupList report, 6/14/2004, 12:29:55 AM

StartupList version: 1.52

Started from : C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.EXE

Detected: Windows XP (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 (6.00.2600.0000)

* Using default options

==================================================

 

Running processes:

 

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\atiptaxx.exe

C:\WINNT\System32\SK9910DM.EXE

C:\WINNT\GWMDMMSG.exe

C:\WINNT\System32\devldr32.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\WINNT\Cyb2k.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINNT\Sys32Smm.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\System32\CTsvcCDA.exe

C:\PROGRA~1\Iomega\System32\ActivityDisk.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINNT\System32\wuauclt.exe

C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Home\Desktop\Ed\anti-hijacking programs\HijackThis.exe

C:\WINNT\notepad.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Adobe Gamma Loader.lnk = ?

Billminder.lnk = C:\Program Files\Quicken\billmind.exe

Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINNT\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

ATIModeChange = Ati2mdxx.exe

AtiPTA = atiptaxx.exe

Hot Key Kbd 9910 Daemon = SK9910DM.EXE

GWMDMMSG = GWMDMMSG.exe

Keyboard Preload Check = C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

GWMDMpi = C:\WINNT\GWMDMpi.exe

AdaptecDirectCD = C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

Iomega Startup Options = C:\Program Files\Iomega\Common\ImgStart.exe

Iomega Drive Icons = C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C2K = C:\WINNT\Cyb2k.exe

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe

QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

washindex = C:\Program Files\Washer\washidx.exe "Home"

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

SpyProtection = C:\Program Files\Webroot\Spy Protection\SpyProtection.exe /0

PicoZip = C:\PROGRA~1\PicoZip\PicoZipTray.exe

MutexServiceEx = Sys32Smm.exe /run

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

washindex = C:\Program Files\Washer\washidx.exe

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINNT\System32\ssstars.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll - {02478D28-C3F9-4efb-9B51-7695ECA05670}

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - C:\PROGRA~1\ANONYM~1\ANONYM~1.DLL - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62}

NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

ISP signup reminder 1.job

ISP signup reminder 3.job

Symantec NetDetect.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[YInstStarter Class]

InProcServer32 = C:\Program Files\Yahoo!\common\yinsthelper.dll

CODEBASE = C:\Program Files\Yahoo!\common\yinsthelper.dll

 

[{41F17733-B041-4099-A042-B518BB6A408C}]

CODEBASE = http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe

 

[RunExeActiveX.RunExe]

InProcServer32 = C:\WINNT\Downloaded Program Files\RunExeActiveX.ocx

CODEBASE = hcp://system/RunExeActiveX.CAB

 

[HouseCall Control]

InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx

CODEBASE = http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

 

[{78A730D4-0DF3-4B65-8DD2-BFCD433CEE30}]

CODEBASE = http://www.surfsecret.com/inst/PEInstaller.exe

 

[startFirstControl.CheckFirst]

InProcServer32 = C:\WINNT\Downloaded Program Files\StartFirstControl.ocx

CODEBASE = hcp://system/StartFirstControl.CAB

 

[RegConfig Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\yregcfg.dll

CODEBASE = http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab

 

[update Class]

InProcServer32 = C:\WINNT\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7732.9287268519

 

[shockwave Flash Object]

InProcServer32 = C:\WINNT\System32\Macromed\Flash\FLASH.OCX

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

[iTunesDetector Class]

InProcServer32 = C:\Program Files\iTunes\ITDetector.ocx

CODEBASE = http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

 

--------------------------------------------------

 

Enumerating Winsock LSP files:

 

Protocol #1: C:\WINNT\System32\lspcs.dll

Protocol #2: C:\WINNT\System32\lspcs.dll

Protocol #3: C:\WINNT\System32\lspcs.dll

Protocol #4: C:\WINNT\System32\lspcs.dll

Protocol #5: C:\WINNT\System32\lspcs.dll

Protocol #6: C:\WINNT\System32\lspcs.dll

Protocol #7: C:\WINNT\System32\lspcs.dll

Protocol #8: C:\WINNT\System32\lspcs.dll

Protocol #9: C:\WINNT\System32\lspcs.dll

Protocol #10: C:\WINNT\System32\lspcs.dll

Protocol #11: C:\WINNT\System32\lspcs.dll

Protocol #12: C:\WINNT\System32\lspcs.dll

Protocol #13: C:\WINNT\System32\lspcs.dll

Protocol #14: C:\WINNT\System32\lspcs.dll

Protocol #15: C:\WINNT\System32\lspcs.dll

Protocol #16: C:\WINNT\System32\lspcs.dll

Protocol #17: C:\WINNT\System32\lspcs.dll

Protocol #18: C:\WINNT\System32\lspcs.dll

Protocol #19: C:\WINNT\System32\lspcs.dll

Protocol #39: C:\WINNT\System32\lspcs.dll

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINNT\system32\SHELL32.dll

CDBurn: C:\WINNT\system32\SHELL32.dll

WebCheck: C:\WINNT\System32\webcheck.dll

SysTray: C:\WINNT\System32\stobject.dll

 

--------------------------------------------------

End of report, 8,908 bytes

Report generated in 0.090 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Share this post


Link to post
Share on other sites

This is the one you reinstalled,

 

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

 

Correct?

 

You still have one problem to clear up.

 

Have HJT remove O4 - HKCU\..\Run: [MutexServiceEx] Sys32Smm.exe /run

 

Reboot, show hidden files, navagate to C:\WINNT\Sys32Smm.exe and delete it.

 

Reboot and post a fresh log here.

Share this post


Link to post
Share on other sites

I came to this site doing a search on google about topotun.com It was holding my homepage hostage and my computer was doing weird stuff, like not shutting down right , there was this winmin running, it was crazy ! After reading more on this site and others the first thing I did was update my Win98 with all the latest and greatest patches. I tried Ad-aware, Spyhunter and even Norton and the thing still came back. The Hijackthis that was mentioned looked exactly like something I could easily mess up so I was reluctant to do that.

 

At that point I was getting a tad hot so I went to my NEW homepage topotun.com with the intention of leaving them a nice colorful email. On the right bottom of the page is a link Support . I click that and in there is something you can download called uninstall.zip made to uninstall topotun.com. With my anti virus program on full alert I downloaded the file unzipped it ran the uninstall.exe. It all took about 2 minutes. IT WORKED. No more homepage hijacking, no more weird search engine, no more Winmin.

 

It was so easy I could hardly believe it. I rebooted 3 times just to be sure. I just wanted to share this in case someone gets in my position. Going through the fixs , etc , with Hijackthis looked complicated to me, but this uninstall thing was a snap.

 

Nimmy

Share this post


Link to post
Share on other sites

Nimmy,

 

 

From what you have posted, we are supposed to believe that the originator of this scumware is somehow feeling sorry for what they have done and has put out an uninstaller that will completely uninstall their software.

 

Yet their software still exists and is infecting machines while people like me haven't a clue, Right?

 

Is that what your saying????

 

Is it????

Share this post


Link to post
Share on other sites

Dolphin,

 

Here is the current hijackthis file from my system. Maybe you can understand how it might have been changed . I ran hijackthis a few days ago when all the fun was happening but did not save the file because at that time I was hoping there would be an easier way. All I know is my computer operates better and my homepage has been release from captivity.

 

Logfile of HijackThis v1.97.7

Scan saved at 10:22:35 PM, on 6/19/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\SPYHUNTER\POPUPBLOCKER\ENIGMAPOPUPSTOP.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\PROGRAM FILES\MIRC\MIRC.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE

C:\WINDOWS\SOL.EXE

C:\MY DOCUMENTS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\system32\searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://martfinder.com/crindex.html

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

O4 - HKLM\..\Run: [v55mubx8d8] C:\WINDOWS\WINRAR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKCU\..\Run: [aimboot] %SystemRoot%\awinrar.exe

O4 - HKCU\..\Run: [dllhelp] c:\windows\dllhlp.exe

O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM FILES\HIGHSTREAM TURBO\HSTURBO.EXE/227

O9 - Extra button: RealGuide (HKLM)

O9 - Extra button: Guide (HKLM)

O9 - Extra button: PeoplePC (HKLM)

O9 - Extra button: Wallet (HKLM)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab

O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedCont...c/bin/cabsa.cab

O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab

O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAF} - http://www.talkingbuddy.com/talkingbuddyinstall.exe

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://jobs.tntlogistics.com/CFIDE/classes/CFJava.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab

O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop.com/antivirus/PCPAV.CAB

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-3.ibm.com/pc/support/IbmEgath.cab

O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8157.0788773148

 

I am as surprised as anyone, I figured when I clicked on that website my computer would be completely gone. But at that time I didn't care.

 

Nimmy

Share this post


Link to post
Share on other sites

Nimmy,

 

You have quite a few problems as indicated by your log.

 

Download and run CWShredder by clicking the link in my signature. (click the FIX button with all windows closed)

 

Run complete scans by checking all boxes in both programs listed below,

 

http://housecall.trendmicro.com/

http://www.pandasoftware.com/activescan/co...n_principal.htm

 

Download and run a trial version of an Anti-Trojan by clicking the link in my signature.

 

Reboot, rescan with HJT and post a fresh log here along with the full file path to any file you were not able to remove with the tools mentioned.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0