« previous next »
Pages: 1 [2]   Go Down

Author Topic: jbhook.dll/svch0st.exe  (Read 17452 times)

0 Members and 1 Guest are viewing this topic.

tjw730

  • Guest
Re: jbhook.dll/svch0st.exe
« Reply #15 on: March 20, 2007, 12:23:38 PM »
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EbatesMoeMoneyMaker\""
"hkey"="HKLM"
"command"="wjview /cp:p \"D:\\Program Files\\EbatesMoeMoneyMaker\\System\\Code\" Main lp: \"D:\\Program Files\\EbatesMoeMoneyMaker\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\programs\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="keyboard2"
"hkey"="HKLM"
"command"="c:\\\\keyboard2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Application Viewer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msappview32"
"hkey"="HKLM"
"command"="msappview32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE D:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE D:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="FirstStart"
"hkey"="HKLM"
"command"="C:\\programs\\OLYMPUS Master\\FirstStart.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PowerBar"
"hkey"="HKCU"
"command"="\"\\PowerBar.exe\" /AtBootTime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\programs\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\seekmo]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="seekmo"
"hkey"="HKLM"
"command"="\"d:\\program files\\seekmo\\seekmo.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="D:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="D:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.8472\\GoogleToolbarNotifier.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolbarInstall]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MirarSetup"
"hkey"="HKLM"
"command"="D:\\DOCUME~1\\Family\\LOCALS~1\\Temp\\MirarSetup.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\was_check]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win32 Kernel Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="win32update"
"hkey"="HKLM"
"command"="D:\\WINDOWS\\System32\\win32update.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="windows"
"hkey"="HKCU"
"command"="D:\\WINDOWS\\System32\\windows.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows ASN2 Services]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="xnmw"
"hkey"="HKLM"
"command"="xnmw.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msblast"
"hkey"="HKLM"
"command"="msblast.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"D:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IDriverT"=dword:00000003
"Win32Kernel"=dword:00000002
"Adobe LM Service"=dword:00000003
"iPodService"=dword:00000003
"CSRSS"=dword:00000002
"usnjsvc"=dword:00000003


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"D:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"MySpaceIM"="D:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=dword:00000000
"DisableLockWorkstation"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoClose"=dword:00000000
"NoLogoff"=dword:00000000
@="0"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
   Source   REG_SZ            file:///D:/DOCUME~1/Family/LOCALS~1/Temp/msoclip1/01/clip_image002.jpg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService   REG_MULTI_SZ      Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService   REG_MULTI_SZ      DnsCache\0\0
rpcss   REG_MULTI_SZ      RpcSs\0\0
imgsvc   REG_MULTI_SZ      StiSvc\0\0
termsvcs   REG_MULTI_SZ      TermService\0\0




~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070317-105110-969
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
backup-20070317-103354-924
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************
Completion time: 07-03-20 22:18:46
Logged

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: jbhook.dll/svch0st.exe
« Reply #16 on: March 20, 2007, 07:24:04 PM »
Ok looking  better but a few more things to do firstly re-run OTMoveit, same procedure and these are the files to copy and paste

D:\WINDOWS\ktfsec32.exe
D:\Temp
D:\WINDOWS\system32\plugin1.dat

Next

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose:
Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Then

I see no sign of an anti-spyware product so :

Download and then run SuperAntispyware
  • On the first page select Check for Updates
  • On completion select SCAN YOUR COMPUTER
  • On the next page select COMPLETE SCAN and tick ALL your drives
  • The next stage will take a while as your entire drive(s), memory and registry are scanned
  • When it has completed click NEXT
  • The next screen shows the problems found click OK
  • On the next screen place a tick against all items and select NEXT
  • Now to get the log Go to the PREFERENCES button on the right bottom
  • Select the STATISTICS/LOG tab
  • Highlight the scan just completed and click VIEW LOG
  • This will open a notepad text file copy and paste this to your next reply

Plus a new HJT log  8)

You may lose your e-bates toolbar with SAS but if you wish you can re-install
Logged

tjw730

  • Guest
Re: jbhook.dll/svch0st.exe
« Reply #17 on: March 20, 2007, 09:50:53 PM »
That alright I'm not even suupposed to have an "ebates toolbar", I think I got that involunatrily ages ago, so I hope it will delete  it.  Thanks again, will post the log very soon
Logged

tjw730

  • Guest
Re: jbhook.dll/svch0st.exe
« Reply #18 on: March 21, 2007, 02:36:30 AM »
SUPERAntiSpyware Scan Log
Generated 03/21/2007 at 12:25 PM

Application Version : 3.6.1000

Core Rules Database Version : 3203
Trace Rules Database Version: 1213

Scan type       : Complete Scan
Total Scan Time : 04:32:22

Memory items scanned      : 381
Memory threats detected   : 0
Registry items scanned    : 6117
Registry threats detected : 147
File items scanned        : 115722
File threats detected     : 150

Unclassified.Unknown Origin
   HKLM\Software\Classes\CLSID\{54645654-2225-4455-44A1-9F4543D34546}
   HKCR\CLSID\{54645654-2225-4455-44A1-9F4543D34546}
   HKCR\CLSID\{54645654-2225-4455-44A1-9F4543D34546}
   HKCR\CLSID\{54645654-2225-4455-44A1-9F4543D34546}\InProcServer32
   D:\WINDOWS\SYSTEM32\VBSYS2.DLL

Adware.IST/YourSiteBar
   HKLM\Software\Classes\CLSID\{86227D9C-0EFE-4f8a-AA55-30386A3F5686}
   HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}
   HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}
   HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\Implemented Categories
   HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
   HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
   HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\InprocServer32
   HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\InprocServer32#ThreadingModel
   HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\ProgID
   HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\Programmable
   HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\TypeLib
   HKCR\CLSID\{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\VersionIndependentProgID
   D:\PROGRAM FILES\YOURSITEBAR\YSB.DLL
   HKCR\Ysb.YsbObj
   HKCR\Ysb.YsbObj\CLSID
   HKCR\Ysb.YsbObj\CurVer
   HKCR\Ysb.YsbObj.1
   HKCR\Ysb.YsbObj.1\CLSID
   HKCR\Interface\{03B800F9-2536-4441-8CDA-2A3E6D15B4F8}
   HKCR\Interface\{03B800F9-2536-4441-8CDA-2A3E6D15B4F8}\ProxyStubClsid
   HKCR\Interface\{03B800F9-2536-4441-8CDA-2A3E6D15B4F8}\ProxyStubClsid32
   HKCR\Interface\{03B800F9-2536-4441-8CDA-2A3E6D15B4F8}\TypeLib
   HKCR\Interface\{03B800F9-2536-4441-8CDA-2A3E6D15B4F8}\TypeLib#Version
   HKCR\Interface\{DFBCC1EB-B149-487E-80C1-CC1562021542}
   HKCR\Interface\{DFBCC1EB-B149-487E-80C1-CC1562021542}\ProxyStubClsid
   HKCR\Interface\{DFBCC1EB-B149-487E-80C1-CC1562021542}\ProxyStubClsid32
   HKCR\Interface\{DFBCC1EB-B149-487E-80C1-CC1562021542}\TypeLib
   HKCR\Interface\{DFBCC1EB-B149-487E-80C1-CC1562021542}\TypeLib#Version
   HKCR\TypeLib\{4EE12B71-AA5E-45EC-8666-2DB3AD3FDF44}
   HKCR\TypeLib\{4EE12B71-AA5E-45EC-8666-2DB3AD3FDF44}\1.0
   HKCR\TypeLib\{4EE12B71-AA5E-45EC-8666-2DB3AD3FDF44}\1.0\0
   HKCR\TypeLib\{4EE12B71-AA5E-45EC-8666-2DB3AD3FDF44}\1.0\0\win32
   HKCR\TypeLib\{4EE12B71-AA5E-45EC-8666-2DB3AD3FDF44}\1.0\FLAGS
   HKCR\TypeLib\{4EE12B71-AA5E-45EC-8666-2DB3AD3FDF44}\1.0\HELPDIR
   HKLM\Software\YourSiteBar
   HKLM\Software\YourSiteBar#installTitle
   HKLM\Software\YourSiteBar#barTitle
   HKLM\Software\YourSiteBar#serverpath
   HKLM\Software\YourSiteBar#urlAfterInstall
   HKLM\Software\YourSiteBar#gUpdate
   HKLM\Software\YourSiteBar#TBRowMode
   HKLM\Software\YourSiteBar#yoursitebar.xml
   HKLM\Software\YourSiteBar#imagemap_normal.bmp
   HKLM\Software\YourSiteBar#imagemap_over.bmp
   HKLM\Software\YourSiteBar#showcorrupted
   HKLM\Software\YourSiteBar#updatever
   HKLM\Software\YourSiteBar#refreshscope
   HKLM\Software\YourSiteBar#allowupdate
   HKLM\Software\YourSiteBar#LastCheckTime
   HKLM\Software\YourSiteBar#version.txt
   HKLM\Software\YourSiteBar#UpdateBegin
   HKCR\YSBactivex.Installer
   HKCR\YSBactivex.Installer\CLSID
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#D:\WINDOWS\Downloaded Program Files\ysbactivex.dll [  ]

Adware.Mirar/NetNucleus
   HKLM\Software\Classes\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
   HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
   HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
   HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32
   HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32#ThreadingModel
   HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties
   HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#Version
   HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#BuildName
   HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\TypeLib
   D:\WINDOWS\SYSTEM32\WINNB63.DLL
   HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}
   HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid
   HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid32
   HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib
   HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib#Version
   HKCR\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}
   HKCR\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}\ProxyStubClsid
   HKCR\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}\ProxyStubClsid32
   HKCR\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}\TypeLib
   HKCR\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}\TypeLib#Version
   HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}
   HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid
   HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid32
   HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib
   HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib#Version
   HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}
   HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid
   HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid32
   HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib
   HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib#Version
   HKCR\NN_Bar_Dummy.NN_BarDummy
   HKCR\NN_Bar_Dummy.NN_BarDummy\CLSID
   HKCR\NN_Bar_Dummy.NN_BarDummy\CurVer
   HKCR\NN_Bar_Dummy.NN_BarDummy.1
   HKCR\NN_Bar_Dummy.NN_BarDummy.1\CLSID
   HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}
   HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0
   HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\0
   HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\0\win32
   HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\FLAGS
   HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\HELPDIR
   HKCR\TypeLib\{F8310E7D-4C4D-46A4-A068-B5BB99411CC7}
   HKCR\TypeLib\{F8310E7D-4C4D-46A4-A068-B5BB99411CC7}\1.0
   HKCR\TypeLib\{F8310E7D-4C4D-46A4-A068-B5BB99411CC7}\1.0\0
   HKCR\TypeLib\{F8310E7D-4C4D-46A4-A068-B5BB99411CC7}\1.0\0\win32
   HKCR\TypeLib\{F8310E7D-4C4D-46A4-A068-B5BB99411CC7}\1.0\FLAGS
   HKCR\TypeLib\{F8310E7D-4C4D-46A4-A068-B5BB99411CC7}\1.0\HELPDIR

Adware.UCMore/The Search Accelerator
   HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar#{44BE0690-5429-47f0-85BB-3FFD8020233E}
   HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar#{44BE0690-5429-47f0-85BB-3FFD8020233E}
   HKU\.DEFAULT\Software\Effective-i
   HKU\S-1-5-18\Software\Effective-i
   HKU\.DEFAULT\Software\Maxthon\Plugin\toolbar\{44BE0690-5429-47f0-85BB-3FFD8020233E}
   HKU\S-1-5-18\Software\Maxthon\Plugin\toolbar\{44BE0690-5429-47f0-85BB-3FFD8020233E}

Browser Hijacker.Internet Explorer Zone Hijack
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click#https
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click#https
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect#https
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\www
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\www#https
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com\awbeta
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com\awbeta#https

Adware.IST/ISTBar (Slotch Bar)
   HKCR\TypeLib\{67907B3C-A6EF-4A01-99AD-3FCD5F526429}
   HKCR\TypeLib\{67907B3C-A6EF-4A01-99AD-3FCD5F526429}\1.1
   HKCR\TypeLib\{67907B3C-A6EF-4A01-99AD-3FCD5F526429}\1.1\0
   HKCR\TypeLib\{67907B3C-A6EF-4A01-99AD-3FCD5F526429}\1.1\0\win32
   HKCR\TypeLib\{67907B3C-A6EF-4A01-99AD-3FCD5F526429}\1.1\FLAGS
   HKCR\TypeLib\{67907B3C-A6EF-4A01-99AD-3FCD5F526429}\1.1\HELPDIR
   HKCR\Interface\{0985C112-2562-46F2-8DA6-92648BA4630F}
   HKCR\Interface\{0985C112-2562-46F2-8DA6-92648BA4630F}\ProxyStubClsid
   HKCR\Interface\{0985C112-2562-46F2-8DA6-92648BA4630F}\ProxyStubClsid32
   HKCR\Interface\{0985C112-2562-46F2-8DA6-92648BA4630F}\TypeLib
   HKCR\Interface\{0985C112-2562-46F2-8DA6-92648BA4630F}\TypeLib#Version
   HKLM\SOFTWARE\Microsoft\Internet Explorer\Main#BandRest [ Never ]
Logged

tjw730

  • Guest
Re: jbhook.dll/svch0st.exe
« Reply #19 on: March 21, 2007, 02:37:32 AM »
Adware.180solutions/ZangoSearch
   HKCR\TypeLib\{8BE3FABA-7468-4851-B97C-0750AF2B908E}
   HKCR\TypeLib\{8BE3FABA-7468-4851-B97C-0750AF2B908E}\1.0
   HKCR\TypeLib\{8BE3FABA-7468-4851-B97C-0750AF2B908E}\1.0\0
   HKCR\TypeLib\{8BE3FABA-7468-4851-B97C-0750AF2B908E}\1.0\0\win32
   HKCR\TypeLib\{8BE3FABA-7468-4851-B97C-0750AF2B908E}\1.0\FLAGS
   HKCR\TypeLib\{8BE3FABA-7468-4851-B97C-0750AF2B908E}\1.0\HELPDIR

Trojan.Error Safe Free
   HKLM\Software\Error Safe Free
   HKLM\Software\Error Safe Free#EulUERS_9999_N91S2507

Adware.180solutions/Seekmo
   HKCR\seekmohook.SABHO
   HKCR\seekmohook.SABHO\CLSID
   HKCR\seekmohook.SABHO\CurVer
   HKCR\seekmohook.SABHO.1
   HKCR\seekmohook.SABHO.1\CLSID

Adware.Tracking Cookie
   C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@www.burstnet[1].txt
   C:\Documents and Settings\zpo\Cookies\family@2o7[2].txt
   C:\Documents and Settings\zpo\Cookies\family@ad.isohunt[2].txt
   C:\Documents and Settings\zpo\Cookies\family@ad.yieldmanager[2].txt
   C:\Documents and Settings\zpo\Cookies\family@adopt.hbmediapro[2].txt
   C:\Documents and Settings\zpo\Cookies\family@ads.addynamix[2].txt
   C:\Documents and Settings\zpo\Cookies\family@ads.pointroll[2].txt
   C:\Documents and Settings\zpo\Cookies\family@ads.realcastmedia[2].txt
   C:\Documents and Settings\zpo\Cookies\family@ads.realtechnetwork[1].txt
   C:\Documents and Settings\zpo\Cookies\family@ads1.revenue[1].txt
   C:\Documents and Settings\zpo\Cookies\family@advertising[2].txt
   C:\Documents and Settings\zpo\Cookies\family@apmebf[2].txt
   C:\Documents and Settings\zpo\Cookies\family@as-us.falkag[2].txt
   C:\Documents and Settings\zpo\Cookies\family@atdmt[2].txt
   C:\Documents and Settings\zpo\Cookies\family@atwola[1].txt
   C:\Documents and Settings\zpo\Cookies\family@belnk[1].txt
   C:\Documents and Settings\zpo\Cookies\family@bluestreak[2].txt
   C:\Documents and Settings\zpo\Cookies\family@burstnet[2].txt
   C:\Documents and Settings\zpo\Cookies\family@c5.zedo[1].txt
   C:\Documents and Settings\zpo\Cookies\family@casalemedia[2].txt
   C:\Documents and Settings\zpo\Cookies\family@citi.bridgetrack[2].txt
   C:\Documents and Settings\zpo\Cookies\family@directtrack[1].txt
   C:\Documents and Settings\zpo\Cookies\family@dist.belnk[2].txt
   C:\Documents and Settings\zpo\Cookies\family@doubleclick[1].txt
   C:\Documents and Settings\zpo\Cookies\family@e-2dj6wfkiqoazmlq.stats.esomniture[2].txt
   C:\Documents and Settings\zpo\Cookies\family@e-2dj6wfkywlcjafq.stats.esomniture[1].txt
   C:\Documents and Settings\zpo\Cookies\family@e-2dj6wfl4uodzogo.stats.esomniture[2].txt
   C:\Documents and Settings\zpo\Cookies\family@e-2dj6wfmysocpwaq.stats.esomniture[2].txt
   C:\Documents and Settings\zpo\Cookies\family@e-2dj6wgkyohd5ocq.stats.esomniture[2].txt
   C:\Documents and Settings\zpo\Cookies\family@e-2dj6wgkysidjglq.stats.esomniture[1].txt
   C:\Documents and Settings\zpo\Cookies\family@e-2dj6wgloqmdpalo.stats.esomniture[2].txt
   C:\Documents and Settings\zpo\Cookies\family@e-2dj6wglykpdjggp.stats.esomniture[2].txt
   C:\Documents and Settings\zpo\Cookies\family@e-2dj6wjk4cjczkaq.stats.esomniture[1].txt
   C:\Documents and Settings\zpo\Cookies\family@e-2dj6wjkyakd5oeq.stats.esomniture[1].txt
   C:\Documents and Settings\zpo\Cookies\family@e-2dj6wjkygicjwgq.stats.esomniture[2].txt
   C:\Documents and Settings\zpo\Cookies\family@e-2dj6wjlichdjchq.stats.esomniture[2].txt
   C:\Documents and Settings\zpo\Cookies\family@e-2dj6wjmyspdzelp.stats.esomniture[2].txt
   C:\Documents and Settings\zpo\Cookies\family@fastclick[1].txt
   C:\Documents and Settings\zpo\Cookies\family@h.starware[2].txt
   C:\Documents and Settings\zpo\Cookies\family@hits.clickandtrack[2].txt
   C:\Documents and Settings\zpo\Cookies\family@hotlog[1].txt
   C:\Documents and Settings\zpo\Cookies\family@media.fastclick[1].txt
   C:\Documents and Settings\zpo\Cookies\family@mediaplex[2].txt
   C:\Documents and Settings\zpo\Cookies\family@nbads[1].txt
   C:\Documents and Settings\zpo\Cookies\family@ocean.directtrack[2].txt
   C:\Documents and Settings\zpo\Cookies\family@qksrv[2].txt
   C:\Documents and Settings\zpo\Cookies\family@questionmarket[1].txt
   C:\Documents and Settings\zpo\Cookies\family@realmedia[2].txt
   C:\Documents and Settings\zpo\Cookies\family@reduxads.valuead[1].txt
   C:\Documents and Settings\zpo\Cookies\family@revenue[2].txt
   C:\Documents and Settings\zpo\Cookies\family@sel.as-us.falkag[1].txt
   C:\Documents and Settings\zpo\Cookies\family@serving-sys[2].txt
   C:\Documents and Settings\zpo\Cookies\family@tacoda[1].txt
   C:\Documents and Settings\zpo\Cookies\family@targetnet[2].txt
   C:\Documents and Settings\zpo\Cookies\family@tribalfusion[1].txt
   C:\Documents and Settings\zpo\Cookies\family@tripod[1].txt
   C:\Documents and Settings\zpo\Cookies\family@web4.realtracker[2].txt
   C:\Documents and Settings\zpo\Cookies\family@www.starware[1].txt
   C:\Documents and Settings\zpo\Cookies\family@www.ticketsnow1[1].txt
   C:\Documents and Settings\zpo\Cookies\family@www.ticketsnow[2].txt
   C:\Documents and Settings\zpo\Cookies\family@xml.bravenetmedianetwork[1].txt
   C:\Documents and Settings\zpo\Cookies\family@yadro[2].txt
   C:\Documents and Settings\zpo\Cookies\family@z1.adserver[1].txt
   C:\Documents and Settings\zpo\Cookies\family@zedo[2].txt
Logged

tjw730

  • Guest
Re: jbhook.dll/svch0st.exe
« Reply #20 on: March 21, 2007, 02:38:11 AM »
Adware.eXact Advertising
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{C36F20AE-6081-496A-B83A-3F6253FA7229}\RP106\A0032039.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{C36F20AE-6081-496A-B83A-3F6253FA7229}\RP120\A0037261.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{C36F20AE-6081-496A-B83A-3F6253FA7229}\RP124\A0037495.EXE

Adware.ZToolbar
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{C36F20AE-6081-496A-B83A-3F6253FA7229}\RP130\A0047005.INF

Trojan.Service
   C:\WINDOWS\SYSTEM32\SERVICE.EXE

Trojan.ErrorSafe
   D:\PROGRAM FILES\ERROR SAFE\INSTHELP.EXE
   D:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\UERS_9999_N91S2507NETINSTALLER.EXE

Adware.WhenU
   D:\SYSTEM VOLUME INFORMATION\_RESTORE{0534E627-4F14-4105-95EE-858952EC082B}\RP154\A0041960.EXE
   D:\SYSTEM VOLUME INFORMATION\_RESTORE{C93E01D6-892D-4A91-ADD4-EA2B5266DCF8}\RP27\A0015156.EXE

Adware.IST/SaferScan
   D:\SYSTEM VOLUME INFORMATION\_RESTORE{0534E627-4F14-4105-95EE-858952EC082B}\RP215\A0063441.EXE





And The New Hijackthis! log...

Logfile of HijackThis v1.99.1
Scan saved at 12:35:06 PM, on 21/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
c:\programs\Avast4\aswUpdSv.exe
D:\WINDOWS\ATKKBService.exe
c:\programs\Avast4\ashServ.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\SOUNDMAN.EXE
C:\programs\Avast4\ashDisp.exe
D:\Program Files\Java\jre1.6.0\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\programs\DAEMON Tools\daemon.exe
C:\Programs\TASKBA~1\TaskBar.exe
D:\Program Files\AIM95\aim.exe
C:\programs\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\WINDOWS\System32\wuauclt.exe
c:\programs\Avast4\ashWebSv.exe
D:\Program Files\internet explorer\iexplore.exe
C:\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [avast!] c:\programs\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\programs\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\programs\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\programs\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Taskbar Hide] C:\Programs\TASKBA~1\TaskBar.exe -Start
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\programs\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish.com.au/SnapfishActivia.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O20 - Winlogon Notify: !SASWinLogon - C:\programs\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - c:\programs\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - D:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - Unknown owner - c:\programs\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - c:\programs\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - c:\programs\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

Logged

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: jbhook.dll/svch0st.exe
« Reply #21 on: March 21, 2007, 03:14:55 AM »
Please:
1. Disable System Restore, clean your temporary files, boot.
2. Schedule a boot time scanning with avast. Boot.
3. Download, install, update and run trojan removers: a-squared and AVGas.  ;)
Logged
The best things in life are free.

tjw730

  • Guest
Re: jbhook.dll/svch0st.exe
« Reply #22 on: March 21, 2007, 04:25:18 AM »
Already disabled system restore, cleared temp files and ran boot up scans before approaching the forums, and have run several since...

Downloading the recommended software as we speak
Logged

tjw730

  • Guest
Re: jbhook.dll/svch0st.exe
« Reply #23 on: March 21, 2007, 11:49:26 AM »
I ran the recommended software, which found some adware and a few pieces of malware...nothing outrageous however
Logged

Spiritsongs

  • Guest
Sun Java Version
« Reply #24 on: March 21, 2007, 05:02:42 PM »
 :)  Hi tjw :

     Your HijackThis log indicates your Operating System is XP SP1;
     therefore the appropiate Sun Java for that is the 1.5 Series, NOT
     the 1.6 Series your HijackThis log indicates you have, Therefore
     uninstall ALL versions of Sun Java on your computer, then go to
     www.java.com to get the latest ( 1.5 Series ) for your computer .

     And to have the HijackThis program work at its best, should RENAME
     "HijackThis.exe" to something like "HijackThat.exe", then run a Scan
     and post its log .
« Last Edit: March 21, 2007, 05:18:05 PM by Spiritsongs »
Logged

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89110
  • No support PMs thanks
Re: jbhook.dll/svch0st.exe
« Reply #25 on: March 21, 2007, 05:32:46 PM »
Not only that because only XP SP1 is installed you can't get any security updates after June this year (I think), nor can you get IE6 SP2 or IE7 either, both of which close many security vulnerabilities as you require XP SP2.
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

tjw730

  • Guest
Re: jbhook.dll/svch0st.exe
« Reply #26 on: March 21, 2007, 11:13:24 PM »
yes, well I got SP2 3 times and every time i t crashed my compyter and I had to reboot it and reinstall windows, and I'm not gonna bother with all that crap again...
Logged

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: jbhook.dll/svch0st.exe
« Reply #27 on: March 21, 2007, 11:39:18 PM »
The reason sp2 was crashing was because you had malware on your system.  You really do need to be clean before installing
Logged

tjw730

  • Guest
Re: jbhook.dll/svch0st.exe
« Reply #28 on: March 22, 2007, 02:07:18 AM »
Cheers essexboy, again, thanks for all your help this far, just wondering is everything else sweet on my PC now?
Logged

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: jbhook.dll/svch0st.exe
« Reply #29 on: March 23, 2007, 12:14:56 AM »
You look good to go for SP2  ;D
Logged
Pages: 1 [2]   Go Up
« previous next »