|
|
|
Comp infected with Viruses!! plz help
|
|
|
vpeternal
Junior Member
|
26. March 2006 @ 11:59 |
Link to this message
|
plz help me, a notification keeps poping up saying that im infected with virus. i try to clean but still keeps poping up. i read some threads about this. so i got my log rite here. plz help me
Logfile of HijackThis v1.99.1
Scan saved at 1:51:18 PM, on 3/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
C:\Program Files\?icrosoft\??rvices.exe
C:\Program Files\Abyss Web Server\abyssws.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Abyss Web Server\abyssws.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\aim\aim.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.162.1.1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com;<local>
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint
Toolbar\ViewBar.dll
O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll
(file missing)
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\LOCPHA~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program
Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [oakley] C:\WINDOWS\System32\oakley.exe
O4 - HKCU\..\Run: [msvcrt] C:\WINDOWS\System32\msvcrt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common
Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Qbimme] C:\Program Files\?icrosoft\??rvices.exe
O4 - HKCU\..\Run: [AbyssWebServer] C:\Program Files\Abyss Web Server\abyssws.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant
Updater\RuLaunch.exe" /startmonitor
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32
\msjava.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {2ED18548-033C-4ADE-A17F-3A1E07396A6B} (IceCastPlayer Control) - http://www.ice.pe.kr/IceCastPlayerX.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple...
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-
download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autoc...
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: winszd32 - C:\WINDOWS\SYSTEM32\winszd32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee
VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%
\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy
Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
|
|
Advertisement
|
|
|
|
Staff Member
4 product reviews
|
26. March 2006 @ 12:30 |
Link to this message
|
|
First off, uninstall that toolbar. Second, boot to safe mode, and claean out all temp files and then run your virsu scan of choice and then your spyware scan of choice.
|
|
vpeternal
Junior Member
|
26. March 2006 @ 14:13 |
Link to this message
|
|
i uninstall the toolbar. now the safe mode part, im not really sure on how to to that and i dun wanna mess anything up. can u plz tell me in steps.
thnx a lot
|
Staff Member
4 product reviews
|
26. March 2006 @ 14:37 |
Link to this message
|
|
Restart the PC, and when it just restarts, start hitting F8 and then when the boot screen loads, select, "safe mode"
|
|
vpeternal
Junior Member
|
26. March 2006 @ 16:23 |
Link to this message
|
hmm after i did that, i restarted comp and it booted normaly.
the notification stills pop up and it install Spyfalcon automaticaly.
i uninstall it but i keeps installing again.
plz help
heres another log. i think it changed a bit after ur step.
Logfile of HijackThis v1.99.1
Scan saved at 6:21:32 PM, on 3/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.162.1.1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com;<local>
O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [SpyFalcon] C:\Program Files\SpyFalcon\SpyFalcon.exe /h
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\LOCPHA~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [oakley] C:\WINDOWS\System32\oakley.exe
O4 - HKCU\..\Run: [msvcrt] C:\WINDOWS\System32\msvcrt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Qbimme] C:\Program Files\?icrosoft\??rvices.exe
O4 - HKCU\..\Run: [AbyssWebServer] C:\Program Files\Abyss Web Server\abyssws.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {2ED18548-033C-4ADE-A17F-3A1E07396A6B} (IceCastPlayer Control) - http://www.ice.pe.kr/IceCastPlayerX.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple...
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autoc...
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: winszd32 - winszd32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
thnx
|
Senior Member
|
26. March 2006 @ 20:11 |
Link to this message
|
@DVDBack23:
This one needs some special treatment...
@vpeternal:
Hi,you got more infections than just SpyFalcon... =)
Cleaning instructions:
1.Update your Ewido, Do NOT run a scan yet.
2.Download smitrem to your desktop >
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
Doubleclick it and press Start, smitrem folder appears to the desktop.
3.Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1
Do NOT run yet.
4.Download Protocolfix to your desktop http://downloads.subratam.org/Fix-Protocol-zones-ranges.reg
When downloaded, doubleclick it and press yes and ok.
5.Download FixSF.reg to your desktop ->
http://www.bleepingcomputer.com/files/reg/FixSF.reg
Doubleclick it and answer yes to any questions.
6.Restart your computer to the safe mode (Press F8 button when computer is starting and choose safe mode)
7.Go to Control Panel -> Add or remove programs -> Remove if found: SpyFalcon (IF you are asked to restart your computer, DO NOT restart. )
8.Run HijackThis and fix these entries (if found): (Do a system scan only, check entries, close all other windows, press Fix checked)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
O4 - HKLM\..\Run: [SpyFalcon] C:\Program Files\SpyFalcon\SpyFalcon.exe /h
O4 - HKCU\..\Run: [oakley] C:\WINDOWS\System32\oakley.exe
O4 - HKCU\..\Run: [msvcrt] C:\WINDOWS\System32\msvcrt.exe
O4 - HKCU\..\Run: [Qbimme] C:\Program Files\?icrosoft\??rvices.exe
O16 - DPF: {2ED18548-033C-4ADE-A17F-3A1E07396A6B} (IceCastPlayer Control) - http://www.ice.pe.kr/IceCastPlayerX.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O20 - Winlogon Notify: winszd32 - winszd32.dll (file missing)
9.Go to the smitrem folder on your desktop, run RunThis.bat file and follow instructions.
10.Run ATF Cleaner -> Check select all -> Press Empty selected
Make your hidden files visible:
->On the Tools menu in Windows Explorer, click Folder Options.
->Click the View tab.
->Under Hidden files and folders, click Show hidden files and folders.
11.Delete these files if found:
C:\Program Files\?icrosoft\-->??rvices.exe
C:\WINDOWS\System32\-->msvcrt.exe
C:\WINDOWS\System32\-->oakley.exe
C:\Windows\System32\-->dxmpp.dll
C:\WINDOWS\system32\-->ginuerep.dll
12.Delete these folders if found:
C:\Program Files\-->TBONAS
C:\Program Files\-->SpyFalcon
13.Use the Windows "search" function (make sure that you search from hidden files and folders and from system folders too)
Search for this and delete if found: winszd32.dll
14.Empty the Recycle Bin
15.Make your hidden files invisible again:
->On the Tools menu in Windows Explorer, click Folder Options.
->Click the View tab.
->Under Hidden files and folders, click Do not show hidden files and folders.
16.Scan your computer with Ewido, let it remove what it find and save report.
17.Restart you computer normally.
18.Post the following logs to here and we'll see if you are clean.
-> new HijackThis log,
-> Ewido's log and log from
-> C:\smitfiles.txt
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
This message has been edited since posting. Last time this message was edited on 26. March 2006 @ 20:16
|
Staff Member
4 product reviews
|
27. March 2006 @ 07:03 |
Link to this message
|
Quote:
@DVDBack23:
This one needs some special treatment...
Alright, glad you could help him, im not very good at reading hijackthis logs yet ;)
|
|
vpeternal
Junior Member
|
27. March 2006 @ 12:36 |
Link to this message
|
|
wow help from the pros =). thnx, i just got home from skoo and im happy to read this, i will do this soon. again thnx a lot guys.
|
|
vpeternal
Junior Member
|
27. March 2006 @ 18:19 |
Link to this message
|
here are my new log
Logfile of HijackThis v1.99.1
Scan saved at 8:17:32 PM, on 3/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
C:\Program Files\Abyss Web Server\abyssws.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Abyss Web Server\abyssws.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.162.1.1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com;<local>
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\LOCPHA~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [oakley] C:\WINDOWS\System32\oakley.exe
O4 - HKCU\..\Run: [msvcrt] C:\WINDOWS\System32\msvcrt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Qbimme] C:\Program Files\?icrosoft\??rvices.exe
O4 - HKCU\..\Run: [AbyssWebServer] C:\Program Files\Abyss Web Server\abyssws.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple...
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autoc...
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 8:04:54 PM, 3/27/2006
+ Report-Checksum: 1C1487A6
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{7FD44536-9DF0-4034-939F-5BD4D98E3187} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.167:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.172:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.176:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.177:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.178:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.179:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.180:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.181:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.182:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.189:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.193:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.209:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.216:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.217:C:\Documents and Settings\Loc Phan\Application Data\Mozilla\Firefox\Profiles\1u66ac2h.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Loc Phan\Cookies\loc phan@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\HJT\backups\backup-20060327-183744-323.dll -> Adware.MediaTickets : Cleaned with backup
C:\Program Files\etea\rpen.exe -> Downloader.PurityScan.bu : Cleaned with backup
C:\WINDOWS\dinst.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gdnUS2339.exe -> Downloader.Small.ayl : Cleaned with backup
C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\svcproc.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\dbrghn.exe -> Trojan.Agent.ay : Cleaned with backup
C:\WINDOWS\system32\dfrgsrv.exe -> Downloader.Zlob.jd : Cleaned with backup
C:\WINDOWS\system32\DrPMon.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\interf.tlb -> Downloader.Zlob.jh : Cleaned with backup
C:\WINDOWS\system32\oins.exe -> Dropper.PurityScan.ad : Cleaned with backup
C:\WINDOWS\system32\sysupd1003.exe -> Hijacker.Small.an : Cleaned with backup
C:\WINDOWS\ucjetwkqok.exe -> Adware.Bestofer : Cleaned with backup
C:\WINDOWS\YAXUninst.exe -> Adware.MediaTickets : Cleaned with backup
::Report End
|
|
vpeternal
Junior Member
|
27. March 2006 @ 18:24 |
Link to this message
|
|
forgot this.
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 03/27/2006
The current time is: 18:39:24.18
Running from
C:\Documents and Settings\Loc Phan\Desktop\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
Online Security Guide.url
Security Troubleshooting.url
~~~ Favorites ~~~
~~~ system32 folder ~~~
1024 dir
mssearchnet.exe
ncompat.tlb
nvctrl.exe
logfiles
~~~ Icons in System32 ~~~
ot.ico
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 824 'explorer.exe'
Killing PID 824 'explorer.exe'
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN! :)
|
Senior Member
|
28. March 2006 @ 02:29 |
Link to this message
|
|
Ok, not clean yet.
Restart your computer to the safe mode (Press F8 button when computer is starting and choose safe mode)
Run HijackThis and fix these entries (if found): (Do a system scan only, check entries, close all other windows, press Fix checked)
O4 - HKCU\..\Run: [oakley] C:\WINDOWS\System32\oakley.exe
O4 - HKCU\..\Run: [msvcrt] C:\WINDOWS\System32\msvcrt.exe
O4 - HKCU\..\Run: [Qbimme] C:\Program Files\?icrosoft\??rvices.exe
Make your hidden files visible:
->On the Tools menu in Windows Explorer, click Folder Options.
->Click the View tab.
->Under Hidden files and folders, click Show hidden files and folders.
Delete these files:
C:\WINDOWS\System32\-->oakley.exe
C:\WINDOWS\System32\-->msvcrt.exe
C:\Program Files\?icrosoft\-->??rvices.exe (Propably C:\Program Files\Microsoft\services.exe)
C:\Windows\System32\-->dxmpp.dll
C:\WINDOWS\system32\-->ginuerep.dll
Empty the Recycle Bin
Make your hidden files invisible again:
->On the Tools menu in Windows Explorer, click Folder Options.
->Click the View tab.
->Under Hidden files and folders, click Do not show hidden files and folders.
Scan your computer again with Ewido, let it remove what it find and save report.
Restart you computer normally.
Post the Ewido's log and a new HijackThis log.
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
|
vpeternal
Junior Member
|
28. March 2006 @ 13:28 |
Link to this message
|
|
hmm i looked for them on my last scan but didnt see it. i mite have skiped it somehow. but i'll do it again to make sure.
thnx a lot for the help JaPK
|
Senior Member
|
28. March 2006 @ 19:46 |
Link to this message
|
|
Ok, but when you have done that, post a new the Ewido's log and a new HijackThis log. If they won't go away, we'll use a stronger tool...
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
|
vpeternal
Junior Member
|
31. March 2006 @ 14:30 |
Link to this message
|
|
hmm i been try to fins those files but i cant seem to find it.
i found some of those files but not .exe but .dll
|
Senior Member
|
31. March 2006 @ 19:59 |
Link to this message
|
It is okay if you can't find those files. There are some system files that may look the same as those files, but leave those alone. Scan your computer again with Ewido, let it remove what it finds and save the report.
Post the Ewido's log and a new HijackThis log to here and we'll see if should use a stronger tool.
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
|
vpeternal
Junior Member
|
5. April 2006 @ 16:42 |
Link to this message
|
hi, srry i been kind of busy.
but heres the hijacklog i didnt do the ewido yet. can u chek if there anything bad from the hijacklog except for those files i cudnt find.
Logfile of HijackThis v1.99.1
Scan saved at 5:39:58 PM, on 4/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.162.1.1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com;<local>
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\LOCPHA~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [oakley] C:\WINDOWS\System32\oakley.exe
O4 - HKCU\..\Run: [msvcrt] C:\WINDOWS\System32\msvcrt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Qbimme] C:\Program Files\?icrosoft\??rvices.exe
O4 - HKCU\..\Run: [AbyssWebServer] C:\Program Files\Abyss Web Server\abyssws.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple...
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autoc...
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
thnx a lot
|
|
Advertisement
|
|
|
Senior Member
|
5. April 2006 @ 19:43 |
Link to this message
|
Ok, lets get you cleaned.
Download Killbox to your desktop -> http://www.downloads.subratam.org/KillBox.zip
Unzip it to your desktop.
Fix these entries with HijackThis:
O4 - HKCU\..\Run: [oakley] C:\WINDOWS\System32\oakley.exe
O4 - HKCU\..\Run: [msvcrt] C:\WINDOWS\System32\msvcrt.exe
O4 - HKCU\..\Run: [Qbimme] C:\Program Files\?icrosoft\??rvices.exe
Run Killbox.exe
-> Choose Delete on Reboot
-> Click All Files option.
Copy the following lines to your clipboard (choose text with your mouse, press CTRL+C or copy)
C:\WINDOWS\System32\oakley.exe
C:\WINDOWS\System32\msvcrt.exe
C:\Program Files\Microsoft\services.exe
Then go back to Killbox
-> go to File
-> choose Paste from Clipboard
-> Click the red-white Delete File option.
-> Click Yes to Delete on Reboot question
-> Click OK to any PendingFileRenameOperations requests (and tell me if you get any of these!)
-> Restart your computer if Killbox won't do it.
(If you get this error when running Killbox: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.", download Missingfilessetup.exe form here to your desktop and run the file, then try running killbox -> http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe)
Update and run a scan with Ewido, clean what it finds, save the log.
Post a new HijackThis log and Ewido's log to here and we'll see if you're clean.
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
|
