JMac Posted August 20, 2006 Share Posted August 20, 2006 Logfile of HijackThis v1.99.1 Scan saved at 20:19:02, on 20/08/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\blueyonder\PCguard\fws.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\blueyonder\PCguard\RPS.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\blueyonder IST\bin\mpbtn.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\system32\svchost.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - URLSearchHook: (no name) - - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\RPS.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZZ O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssi...ureUploader.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe Link to comment Share on other sites More sharing options...
Administrator Tarun Posted August 20, 2006 Administrator Share Posted August 20, 2006 JMac, which ISP is your friend using? Until I hear back from you; here's the log. Generated by Tarun's HijackThis Converter v0.50 Beta. Default-color items are optional, red are known to be malicious. Created registry value R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm Changed registry value R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = Created registry value R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 Created extra registry value where only one should be R3 - URLSearchHook: (no name) - - (no file) Enumeration of existing IE's BHO's O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll Enumeration of suspicious auto-loading registry entries O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe Extra IE context menu items O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZZ Extra "Tools" menu items and buttons O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll Changing of IERESET.INF O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm Downloaded Program Files item O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssi...ureUploader.cab I'll have some recommendations soon. :D Link to comment Share on other sites More sharing options...
JMac Posted August 20, 2006 Author Share Posted August 20, 2006 ok Tarun i wont do anythink untill i hear ur recomendations. Link to comment Share on other sites More sharing options...
Administrator Tarun Posted August 20, 2006 Administrator Share Posted August 20, 2006 From my prior post: Which ISP is your friend using? Link to comment Share on other sites More sharing options...
Capman Posted August 20, 2006 Share Posted August 20, 2006 On his behalf, I am guessing Blueyonder which is a part of Telewest I believe. JMac, is your friend using MSN or WLM? If WLM, does his/hers Hotmail address end in .co.uk by any chance? Link to comment Share on other sites More sharing options...
JMac Posted August 20, 2006 Author Share Posted August 20, 2006 yes CaPMan BLueyonder. WLM and it ends in .com Link to comment Share on other sites More sharing options...
Capman Posted August 20, 2006 Share Posted August 20, 2006 Ok, the only reason I asked about WLM is because I had to uninstall it because my daughter could not log on with it, even though the rest of us could, we all have .com addresses but she has a .co.uk one, so I thought that might of been the problem. Link to comment Share on other sites More sharing options...
Administrator Tarun Posted August 21, 2006 Administrator Share Posted August 21, 2006 I asked about the ISP because there are AOL services listed. Be sure that AOL has been uninstalled from Add/Remove Programs. :D Link to comment Share on other sites More sharing options...
JMac Posted August 21, 2006 Author Share Posted August 21, 2006 There are no AOL items in add/remove. Link to comment Share on other sites More sharing options...
JMac Posted August 23, 2006 Author Share Posted August 23, 2006 Tarun, Still waiting on ur recomendations.... Link to comment Share on other sites More sharing options...
SenutyEnool Posted August 23, 2006 Share Posted August 23, 2006 G'day JMac, you'll need to wait out a while. Tarun's all wrapped up in starting college this week and it's going to take awhile for him to catch up. Cheers :D Link to comment Share on other sites More sharing options...
Administrator Tarun Posted August 23, 2006 Administrator Share Posted August 23, 2006 Do a search for the file named AOLacsd.exe If found, delete it. Next you will want to enter the name AOL Connectivity Service (AOL ACS) - America Online, Inc. into the HijackThis service deletion. Recommendations: - Uninstall Quicktime and RealPlayer so you can switch to the Kazaa Lite Mega Pack. Link to comment Share on other sites More sharing options...
Recommended Posts