|
|
|
TOPSECURITYSITE.NET??
|
|
|
NatashaK
Newbie
|
10. June 2006 @ 18:41 |
Link to this message
|
Hi Guys,
Can anyone help me with this problem?
The home page refuses to change from www.topsecuritysite.net in IE
An "Alert" message keeps popping up in my task bar telling me i've got a virus on my computer - when clicked on it takes me to the AntiVirusGolden website.
And various popups refuse to stop - even when i'm not connected to the internet
Here is my hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 10:33:57 PM, on 11/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\a4833d85.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [a4833d85.exe] C:\WINDOWS\system32\a4833d85.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [a4833d85.exe] C:\Documents and Settings\Bakul\Local Settings\Application Data\a4833d85.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: winrkq32 - C:\WINDOWS\SYSTEM32\winrkq32.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
I'd appreciate any help I can get. Let me know if you need any more info to sort this out.
Thanks so much!!
**Natasha**
|
|
Advertisement
|
|
|
|
Senior Member
|
10. June 2006 @ 22:07 |
Link to this message
|
Ok you got some infections....
Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Unzip it (folder named SmitFraudFix) to your desktop:
Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)
Post the contents of this textfile to here.
(Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)
Then we'll start the cleaning...
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
|
NatashaK
Newbie
|
10. June 2006 @ 22:29 |
Link to this message
|
|
Hey,
Here it is:
SmitFraudFix v2.58
Scan done at 2:24:35.49, 12/06/2006
Run from C:\Documents and Settings\Natasha\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp???.tmp FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Natasha\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Bakul\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{5aaf6542-f4ba-4df4-873d-4902ecbe794c}"="antitragus"
[HKEY_CLASSES_ROOT\CLSID\{5aaf6542-f4ba-4df4-873d-4902ecbe794c}\InProcServer32]
@="C:\WINDOWS\system32\asxbbx.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{5aaf6542-f4ba-4df4-873d-4902ecbe794c}\InProcServer32]
@="C:\WINDOWS\system32\asxbbx.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Thanks so much!
**Natasha**
|
Senior Member
|
10. June 2006 @ 22:41 |
Link to this message
|
Hi again NatashaK, lets get you cleaned...
Cleaning instructions:
Download and install Ewido anti-malware -> http://www.ewido.net/en/download
Update it, but do NOT run a scan yet. We'll use it later.
Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [a4833d85.exe] C:\WINDOWS\system32\a4833d85.exe
O4 - HKCU\..\Run: [a4833d85.exe] C:\Documents and Settings\Bakul\Local Settings\Application Data\a4833d85.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O20 - Winlogon Notify: winrkq32 - C:\WINDOWS\SYSTEM32\winrkq32.dll
Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml
Delete these files (if found):
C:\WINDOWS\system32\a4833d85.exe
C:\Documents and Settings\Bakul\Local Settings\Application Data\a4833d85.exe
C:\WINDOWS\SYSTEM32\winrkq32.dll
Clean the Recycle bin and make your hidden files visible again.
When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.
You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.
The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".
The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.
Tha log is saved to your local diskdrive, usually C:\rapport.txt.
Warning : Running option 2 in a clean computer will delete your desktop wallpaper.
Scan and clean your computer with Ewido and save the report.
Post the following logs to here:
-> a fresh HijackThis log
-> Ewido's log
-> contents of C:\Rapport.txt
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
|
NatashaK
Newbie
|
11. June 2006 @ 08:01 |
Link to this message
|
Thanks so much!
Here is the Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 11:55:19 AM, on 12/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: winrkq32 - C:\WINDOWS\SYSTEM32\winrkq32.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
The Ewido:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 11:50:58 AM, 12/06/2006
+ Report-Checksum: 9C61E6A7
+ Scan result:
C:\Documents and Settings\Natasha\Cookies\natasha@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Natasha\Cookies\natasha@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Natasha\Cookies\natasha@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Natasha\Application Data\Mozilla\Firefox\Profiles\map3l5xx.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Natasha\Application Data\Mozilla\Firefox\Profiles\map3l5xx.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
::Report End
Rapport:
SmitFraudFix v2.58
Scan done at 11:32:59.08, 12/06/2006
Run from C:\Documents and Settings\Natasha\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{5aaf6542-f4ba-4df4-873d-4902ecbe794c}"="antitragus"
[HKEY_CLASSES_ROOT\CLSID\{5aaf6542-f4ba-4df4-873d-4902ecbe794c}\InProcServer32]
@="C:\WINDOWS\system32\asxbbx.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{5aaf6542-f4ba-4df4-873d-4902ecbe794c}\InProcServer32]
@="C:\WINDOWS\system32\asxbbx.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\atmclk.exe Deleted
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp???.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
C:\WINDOWS\system32\asxbbx.dll -> Missing File
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Thanks again!
**Natasha**
|
Senior Member
|
11. June 2006 @ 08:44 |
Link to this message
|
Almost clean...
Ok we'll have to use a stronger tool....
1. Download Avenger -> http://swandog46.geekstogo.com/avenger.zip and unzip it to desktop
2. Copy all text in quote box below to Notepad (starting from
Files to delete:)
Quote:
Files to delete:
C:\WINDOWS\SYSTEM32\winrkq32.dll
Notice: This script is for this user. If you aren't that user, DON'T follow these instructions, because they might harm your system
3. Now, open The Avenger
->"Below Script file to execute" select "Input Script Manually".
->Now click magnifying glass which opens a new window "View/edit script".
-> Paste the text you earlier copied to Notepad here
-> Click Done.
-> Now click green light in order to start script.
-> Click "Yes" .
4.Avenger will do the following
-> Reboot your computer.
-> While booting, it will open a dos prompt, it's normal
-> After reboot it will create a logfile which should open . This log is in C:\avenger.txt
-> Avenger has created a backup here -> C:\avenger\backup.zip.
5. Copy/paste contents of avenger.txt along with a fresh HjT-log.
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
|
Torpedo12
Newbie
|
14. June 2006 @ 02:37 |
Link to this message
|
Hi,
I need help too. Thanks in advance.
Logfile of HijackThis v1.99.1
Scan saved at 下午 06:09:03, on 2006/6/14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Inventec\Dreye\DreyeMT\msnplugin.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\zh-tw\bin\WindowsSearch.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\zh-tw\bin\WindowsSearchIndexer.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\altera\quartus42\bin\JTAGServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Tool\HijackThis_v1.99.1.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINDOWS\winres.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSN 搜尋工具列 Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\zh-tw\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN 搜尋工具列 - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\zh-tw\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - C:\Program Files\Inventec\Dreye\DreyeMT\DreyeIEBar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MSNDreyePlugin] C:\Program Files\Inventec\Dreye\DreyeMT\msnplugin.exe /h
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Google 搜尋(&G) - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: MSN 搜尋(&M) - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1105\zh-tw\msntb.dll/search.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: 使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 全部使用 FlashGet 下載 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 匯出至 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 反向連結 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: 在新的前景索引標籤中開啟 - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\zh-tw\msntabres.dll/230?5c9af68c907f42789a49cb951aa0424a
O8 - Extra context menu item: 在新的背景索引標籤中開啟 - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\zh-tw\msntabres.dll/229?5c9af68c907f42789a49cb951aa0424a
O8 - Extra context menu item: 網頁的快取快照 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: 翻譯英文字詞(&T) - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: 類似網頁 - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [!CNS] 網路實名
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (趨勢科技線上掃毒程式) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9BB75AB3-B0BD-431C-9FE6-6BEA5E1C7656}: NameServer = 192.168.30.160,168.95.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{9BB75AB3-B0BD-431C-9FE6-6BEA5E1C7656}: NameServer = 192.168.30.160,168.95.1.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wineil32 - C:\WINDOWS\SYSTEM32\wineil32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - C:\altera\quartus42\bin\JTAGServer.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
|
Senior Member
|
14. June 2006 @ 07:03 |
Link to this message
|
Hi Torpedo12.
Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Unzip it (folder named SmitFraudFix) to your desktop:
Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)
Post the contents of this textfile to here.
(Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
|
searay185
Newbie
|
16. June 2006 @ 04:09 |
Link to this message
|
|
Sorry to be a bother... but if i could also get some help i would much appreciate it... Thank You...
After Running "SmitfraudFix"
SmitFraudFix v2.61
Scan done at 7:47:13.15, Fri 06/16/2006
Run from C:\Documents and Settings\Sleasman Family\Local Settings\Temp\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
C:\WINDOWS\ms1.exe FOUND !
C:\WINDOWS\tool1.exe FOUND !
C:\WINDOWS\tool2.exe FOUND !
C:\WINDOWS\tool3.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp???.tmp FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Sleasman Family\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SLEASM~1\FAVORI~1
C:\DOCUME~1\SLEASM~1\FAVORI~1\Antivirus Test Online.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0656A137-B161-CADD-9777-E37A75727E78}"="OLE Module"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{5aaf6542-f4ba-4df4-873d-4902ecbe794c}"="antitragus"
[HKEY_CLASSES_ROOT\CLSID\{5aaf6542-f4ba-4df4-873d-4902ecbe794c}\InProcServer32]
@="C:\WINDOWS\System32\asxbbx.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{5aaf6542-f4ba-4df4-873d-4902ecbe794c}\InProcServer32]
@="C:\WINDOWS\System32\asxbbx.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{9ae613a2-a13b-4379-8d0e-86a1a78476ec}"="corindon"
[HKEY_CLASSES_ROOT\CLSID\{9ae613a2-a13b-4379-8d0e-86a1a78476ec}\InProcServer32]
@="C:\WINDOWS\System32\rmzdzx.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{9ae613a2-a13b-4379-8d0e-86a1a78476ec}\InProcServer32]
@="C:\WINDOWS\System32\rmzdzx.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
|
|
Torpedo12
Newbie
|
16. June 2006 @ 06:43 |
Link to this message
|
|
Here it is. Thanks.
SmitFraudFix v2.60
Scan done at 22:39:31.74, 2006/06/16 星期五
Run from C:\Documents and Settings\郭青庭\桌面\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [版本 5.1.2600] - Windows_NT
Fix ran in normal mode
遙遙遙遙遙遙遙遙遙遙遙遙 C:\
遙遙遙遙遙遙遙遙遙遙遙遙 C:\WINNT
C:\WINNT\.protected FOUND !
遙遙遙遙遙遙遙遙遙遙遙遙 C:\WINNT\system
遙遙遙遙遙遙遙遙遙遙遙遙 C:\WINNT\Web
遙遙遙遙遙遙遙遙遙遙遙遙 C:\WINNT\system32
C:\WINNT\system32\atmclk.exe FOUND !
C:\WINNT\system32\dcomcfg.exe FOUND !
C:\WINNT\system32\hp???.tmp FOUND !
C:\WINNT\system32\hp????.tmp FOUND !
C:\WINNT\system32\ld????.tmp FOUND !
C:\WINNT\system32\ot.ico FOUND !
C:\WINNT\system32\regperf.exe FOUND !
C:\WINNT\system32\simpole.tlb FOUND !
C:\WINNT\system32\stdole3.tlb FOUND !
C:\WINNT\system32\ts.ico FOUND !
C:\WINNT\system32\yhbdupd.dll FOUND !
C:\WINNT\system32\1024\ FOUND !
遙遙遙遙遙遙遙遙遙遙遙遙 C:\Documents and Settings\郭青庭\Application Data
遙遙遙遙遙遙遙遙遙遙遙遙 Start Menu
遙遙遙遙遙遙遙遙遙遙遙遙 C:\DOCUME~1\郭青庭\FAVORI~1
C:\DOCUME~1\郭青庭\FAVORI~1\Antivirus Test Online.url FOUND !
遙遙遙遙遙遙遙遙遙遙遙遙 Desktop
C:\DOCUME~1\郭青庭\桌面\Remove Spyware.url FOUND !
C:\DOCUME~1\ALLUSE~1\桌面\Online Security Guide.url FOUND !
遙遙遙遙遙遙遙遙遙遙遙遙 C:\Program Files
C:\Program Files\SpywareQuake.com\ FOUND !
遙遙遙遙遙遙遙遙遙遙遙遙 Corrupted keys
遙遙遙遙遙遙遙遙遙遙遙遙 Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="目前的首頁"
遙遙遙遙遙遙遙遙遙遙遙遙 Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{aea3d2df-2b2c-4d7b-81a0-d975c6dc088e}"="alongshore"
[HKEY_CLASSES_ROOT\CLSID\{aea3d2df-2b2c-4d7b-81a0-d975c6dc088e}\InProcServer32]
@="C:\WINNT\System32\yhbdupd.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{aea3d2df-2b2c-4d7b-81a0-d975c6dc088e}\InProcServer32]
@="C:\WINNT\System32\yhbdupd.dll"
遙遙遙遙遙遙遙遙遙遙遙遙 Scanning wininet.dll infection
遙遙遙遙遙遙遙遙遙遙遙遙 End
|
Senior Member
|
16. June 2006 @ 07:18 |
Link to this message
|
@Torpedo12
You don't have a firewall on your computer. Download and install one firewall.
These are good (free) firewalls:
ZoneAlarm --> http://www.zonelabs.com
Kerio--> http://www.sunbelt-software.com/Kerio.cfm
Outpost-> http://www.agnitum.com
Cleaning instructions:
Delete you old version of smitfraudfix and download the latest version of SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Unzip it (folder named SmitFraudFix) to your desktop.
Download and install Ewido anti-malware -> http://www.ewido.net/en/download
Update it, but do NOT run a scan yet. We'll use it later.
Download CWShredder to your desktop -> http://cwshredder.net/bin/CWShredder.exe
Do not run it yet.
Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked
O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINDOWS\winres.dll
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com
O20 - Winlogon Notify: wineil32 - C:\WINDOWS\SYSTEM32\wineil32.dll
Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml
Run CWShredder and press FIX.
Delete these files (if found):
C:\WINDOWS\winres.dll
C:\WINDOWS\SYSTEM32\wineil32.dll
Scan and clean your computer with Ewido and save the report.
When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.
You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.
The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".
The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.
Tha log is saved to your local diskdrive, usually C:\rapport.txt.
Warning : Running option 2 in a clean computer will delete your desktop wallpaper.
Clean the Recycle bin and make your hidden files visible again.
Post the following logs to here:
-> a fresh HijackThis log
-> Ewido's log
-> contents of C:\Rapport.txt
-------------------------------------------------------------------------------------------------------
@searay185
OK you got some infections, please post a HijackThis log to here and we'll get you cleaned.
Intructions for HjT posting -> http://forums.afterdawn.com/thread_view.cfm/263784
(steps 3-5)
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
|
Kaleed
Newbie
|
16. June 2006 @ 15:06 |
Link to this message
|
|
Well I got caught too, sorry for the trouble.
Log...
SmitFraudFix v2.61
Scan done at 19:06:04.40, 16/06/2006
Run from C:\Documents and Settings\Steve\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp???.tmp FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Steve\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Steve\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{a2cd90b5-e5a2-4aac-a504-c964a6d499df}"="distractible"
[HKEY_CLASSES_ROOT\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
|
|
searay185
Newbie
|
16. June 2006 @ 17:17 |
Link to this message
|
Here is my HijackThis log file...
________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 9:17:08 PM, on 6/16/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atmclk.exe
C:\WINDOWS\System32\dcomcfg.exe
C:\WINDOWS\System32\SK9910DM.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\b5aeb5a4.exe
C:\Program Files\sder\dees.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\Program Files\ewido\ewidoctrl.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ewido\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\infectionreport.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
D:\Pat's Stuff\HijackThis_v1.99.1.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpa.dll/asst.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\System32\hp100.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\DOCUME~1\SLEASM~1\LOCALS~1\Temp\MiniBug.exe 1
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [b5aeb5a4.exe] C:\WINDOWS\System32\b5aeb5a4.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PowerPlus] "C:\Program Files\AIM PowerPlus\AIMP.exe"
O4 - HKCU\..\Run: [Ltho] C:\Program Files\sder\dees.exe
O4 - HKCU\..\Run: [b5aeb5a4.exe] C:\Documents and Settings\Sleasman Family\Local Settings\Application Data\b5aeb5a4.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {130B1A6C-4EE1-1D09-D65C-678A54E5CD10} - http://85.255.113.214/1/gdnUS2338.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c...
O16 - DPF: {1A2D2DCB-562E-07C5-3E31-719265F6CDED} - http://85.255.113.214/1/gdnUS2338.exe
O16 - DPF: {58E0BAD8-FE11-5C8E-226A-414312442E89} - http://85.255.113.214/1/gdnUS2338.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cl...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquar...
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: winubg32 - winubg32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
|
|
Kaleed
Newbie
|
16. June 2006 @ 17:47 |
Link to this message
|
here is my hijack log file also..
Logfile of HijackThis v1.99.1
Scan saved at 9:45:54 PM, on 16/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dcomcfg.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Steve\Desktop\HijackThis_v1.99.1.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\efcbaww.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O20 - Winlogon Notify: efcbaww - C:\WINDOWS\SYSTEM32\efcbaww.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjjq32 - winjjq32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
|
|
blondman
Junior Member
|
17. June 2006 @ 01:36 |
Link to this message
|
|
Hi there, I'm also infected with a topsecuritysite.net and bargainbuddy, any help would be greatly appreciated!
|
Senior Member
|
17. June 2006 @ 04:04 |
Link to this message
|
@searay185
Ok, you got some infections on your computer....
Cleaning instructions:
Move HijackThis into its own folder C:\HJT
Download and install Ewido anti-malware -> http://www.ewido.net/en/download
Update it, but do NOT run a scan yet. We'll use it later.
Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1
Do NOT run yet.
Go to Control Panel -> Add/Remove programs -> Remove ViewPoint, WeatherBug if found
Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpa.dll/asst.htm
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\DOCUME~1\SLEASM~1\LOCALS~1\Temp\MiniBug.exe 1
O4 - HKLM\..\Run: [b5aeb5a4.exe] C:\WINDOWS\System32\b5aeb5a4.exe
O4 - HKCU\..\Run: [Ltho] C:\Program Files\sder\dees.exe
O4 - HKCU\..\Run: [b5aeb5a4.exe] C:\Documents and Settings\Sleasman Family\Local Settings\Application Data\b5aeb5a4.exe
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {130B1A6C-4EE1-1D09-D65C-678A54E5CD10} - http://85.255.113.214/1/gdnUS2338.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c...
O16 - DPF: {1A2D2DCB-562E-07C5-3E31-719265F6CDED} - http://85.255.113.214/1/gdnUS2338.exe
O16 - DPF: {58E0BAD8-FE11-5C8E-226A-414312442E89} - http://85.255.113.214/1/gdnUS2338.exe
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquar...
O20 - Winlogon Notify: winubg32 - winubg32.dll (file missing)
Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml
Delete these folders (if found):
C:\Program Files\Viewpoint
C:\Program Files\sder
C:\Program Files\WeatherBug
Delete these files (if found):
C:\WINDOWS\System32\b5aeb5a4.exe
C:\Documents and Settings\Sleasman Family\Local Settings\Application Data\b5aeb5a4.exe
Run ATF Cleaner -> Check select all -> Press Empty selected
Restart your computer to the safemode and choose your normal user account -> http://www.pchell.com/support/safemode.shtml
When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.
You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.
The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".
The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.
Tha log is saved to your local diskdrive, usually C:\rapport.txt.
Warning : Running option 2 in a clean computer will delete your desktop wallpaper.
Scan and clean your computer with Ewido and save the report.
Clean the Recycle bin and make your hidden files visible again.
Post the following logs to here:
-> a fresh HijackThis log
-> Ewido's log
-> contents of C:\Rapport.txt
--------------------------------------------------------------------------------------------------------------------
@Kaleed
You don't have a firewall on your computer. Download and install one firewall.
These are good (free) firewalls:
ZoneAlarm --> http://www.zonelabs.com
Kerio--> http://www.sunbelt-software.com/Kerio.cfm
Outpost-> http://www.agnitum.com
Ok, you got some infections on your computer....
Cleaning instructions:
Move HijackThis into its own folder C:\HJT
Download and install Ewido anti-malware -> http://www.ewido.net/en/download
Update it, but do NOT run a scan yet. We'll use it later.
Go to Control Panel -> Add/Remove programs -> Remove RXtoolbar, EmpirePoker if found
Download VundoFix.exe to your desktop -> http://www.atribune.org/ccount/click.php?id=4
* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on
Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O20 - Winlogon Notify: winjjq32 - winjjq32.dll (file missing)
Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml
Delete these folders (if found):
C:\Program Files\EmpirePoker
Restart your computer to the safemode and choose your normal user account -> http://www.pchell.com/support/safemode.shtml
When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.
You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.
The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".
The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.
Tha log is saved to your local diskdrive, usually C:\rapport.txt.
Warning : Running option 2 in a clean computer will delete your desktop wallpaper.
Scan and clean your computer with Ewido and save the report.
Clean the Recycle bin and make your hidden files visible again.
Restart your computer normally.
Post the following logs to here:
-> a fresh HijackThis log
-> Ewido's log
-> contents of C:\vundofix.txt
-> contents of C:\Rapport.txt
--------------------------------------------------------------------------------------------------------------------
@blondman
Hi. Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Unzip it (folder named SmitFraudFix) to your desktop:
Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)
Post the contents of this textfile to here.
(Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)
The post a HijackThis log to here. Instructions here -> http://forums.afterdawn.com/thread_view.cfm/263784
(steps 3-5)
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
|
blondman
Junior Member
|
17. June 2006 @ 05:24 |
Link to this message
|
|
SmitFraudFix v2.61
Scan done at 23:23:14.81, Sat 17/06/2006
Run from C:\Documents and Settings\User\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\cmd32.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp???.tmp FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\1024\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\User\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\User\FAVORI~1
C:\DOCUME~1\User\FAVORI~1\Antivirus Test Online.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{a2cd90b5-e5a2-4aac-a504-c964a6d499df}"="distractible"
[HKEY_CLASSES_ROOT\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
|
|
Kaleed
Newbie
|
17. June 2006 @ 06:26 |
Link to this message
|
Logfile of HijackThis v1.99.1
Scan saved at 10:24:06 AM, on 17/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Steve\Desktop\HijackThis_v1.99.1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {9D177C4E-765C-4DCC-8241-7E83DF6CAABB} - C:\WINDOWS\system32\awtst.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 10:19:49 AM, 17/06/2006
+ Report-Checksum: EF5E9242
+ Scan result:
C:\Documents and Settings\Kaleed\Cookies\kaleed@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\84dmn0un.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\84dmn0un.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\691E76HW\SysProtectScannerInstall[1].cab/USYP_0001_N76M1005NetInstaller.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\SYSTEM32\efcbaww.dll -> Adware.Virtumonde : Cleaned with backup
::Report End
VundoFix V4.2.84
Running as SYSTEM
from c:\windows\system32\VundoFix.exe
Checking Java version...
Java version is 1.5.0.2
Scan started at 9:23:06 AM 17/06/2006
Listing files found while scanning....
C:\WINDOWS\SYSTEM32\tstwa.bak1
C:\WINDOWS\SYSTEM32\tstwa.ini
C:\WINDOWS\SYSTEM32\awtst.dll
Attempting to delete C:\WINDOWS\SYSTEM32\tstwa.bak1
C:\WINDOWS\SYSTEM32\tstwa.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\tstwa.ini
C:\WINDOWS\SYSTEM32\tstwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\awtst.dll
C:\WINDOWS\SYSTEM32\awtst.dll Has been deleted!
Performing Repairs to the registry.
Done!
SmitFraudFix v2.61
Scan done at 9:33:44.04, 17/06/2006
Run from C:\Documents and Settings\Steve\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{a2cd90b5-e5a2-4aac-a504-c964a6d499df}"="distractible"
[HKEY_CLASSES_ROOT\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp???.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
C:\WINDOWS\system32\yvvdj.dll -> Missing File
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{a2cd90b5-e5a2-4aac-a504-c964a6d499df}"="distractible"
[HKEY_CLASSES_ROOT\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
@="C:\WINDOWS\system32\yvvdj.dll"
»»»»»»»»»»»»»»»»»»»»»»»» End
Thanks so much for the help!
|
|
Lowe017
Newbie
|
17. June 2006 @ 14:24 |
Link to this message
|
|
Hey i need some help too, if that's not a problem..
|
|
blondman
Junior Member
|
17. June 2006 @ 16:20 |
Link to this message
|
Logfile of HijackThis v1.99.1
Scan saved at 10:17:22, on 18/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [CMD] cmd32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://D:\components\hidinputmonitorx.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/...
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file://D:\components\A9.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cl...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/m...
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpbasicdetection3.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\lsass.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
|
|
blondman
Junior Member
|
17. June 2006 @ 16:23 |
Link to this message
|
|
Hello again, I've had some headaches!!!! My computer is now crashing so often I barely managed post this! Thank you so much for everyone who's trying to help, it is so much appreciated!!!!!
|
|
searay185
Newbie
|
17. June 2006 @ 17:14 |
Link to this message
|
Okay soo here are the logs you wanted me too post (this is after i ran all the clean ups and such)...
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 9:07:49 PM, 6/17/2006
+ Report-Checksum: 5FB4692
+ Scan result:
HKLM\SOFTWARE\Classes\YSBactivex.Installer.1 -> Adware.YourSiteBar : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\goc50ow8.Default User\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\goc50ow8.Default User\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\goc50ow8.Default User\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\goc50ow8.Default User\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\goc50ow8.Default User\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\goc50ow8.Default User\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Kmpads : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Kmpads : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Kmpads : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Realcastmedia : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Realcastmedia : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Realcastmedia : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Paycounter : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Masterstats : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\lmt436o4.Pat\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.167:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.189:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.193:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.194:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.195:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.198:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.199:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.203:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.204:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.205:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.206:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.208:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.209:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.210:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.211:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.212:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.213:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.214:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.215:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.216:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.234:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.235:C:\Documents and Settings\Sleasman Family\Application Data\Mozilla\Firefox\Profiles\ptynz08i.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
C:\HJT\backups\backup-20060617-200551-230.dll -> Adware.WinAD : Cleaned with backup
C:\HJT\backups\backup-20060617-200552-918.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\YSBactivex.dll -> Downloader.IstBar.fa : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\update.exe -> Dropper.Small.adh : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\WinAdServX.dll -> Adware.WinAD : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\YSBactivex.dll -> Downloader.IstBar.gz : Cleaned with backup
C:\WINDOWS\mtuninst.exe -> Adware.MediaTickets : Cleaned with backup
C:\WINDOWS\system32\sqgacaaa.exe -> Dropper.Agent.ns : Cleaned with backup
::Report End
_________________________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 9:10:56 PM, on 6/17/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\Program Files\ewido\ewidoctrl.exe
C:\Program Files\ewido\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\SK9910DM.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\HJT\HijackThis_v1.99.1.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PowerPlus] "C:\Program Files\AIM PowerPlus\AIMP.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cl...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
_______________________________________________
SmitFraudFix v2.61
Scan done at 20:33:54.07, Sat 06/17/2006
Run from D:\Pat's Stuff\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0656A137-B161-CADD-9777-E37A75727E78}"="OLE Module"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{5aaf6542-f4ba-4df4-873d-4902ecbe794c}"="antitragus"
[HKEY_CLASSES_ROOT\CLSID\{5aaf6542-f4ba-4df4-873d-4902ecbe794c}\InProcServer32]
@="C:\WINDOWS\System32\asxbbx.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{5aaf6542-f4ba-4df4-873d-4902ecbe794c}\InProcServer32]
@="C:\WINDOWS\System32\asxbbx.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{9ae613a2-a13b-4379-8d0e-86a1a78476ec}"="corindon"
[HKEY_CLASSES_ROOT\CLSID\{9ae613a2-a13b-4379-8d0e-86a1a78476ec}\InProcServer32]
@="C:\WINDOWS\System32\rmzdzx.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{9ae613a2-a13b-4379-8d0e-86a1a78476ec}\InProcServer32]
@="C:\WINDOWS\System32\rmzdzx.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\ms1.exe Deleted
C:\WINDOWS\tool1.exe Deleted
C:\WINDOWS\tool2.exe Deleted
C:\WINDOWS\tool3.exe Deleted
C:\WINDOWS\system32\atmclk.exe Deleted
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp???.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\SLEASM~1\FAVORI~1\Antivirus Test Online.url Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
C:\WINDOWS\System32\asxbbx.dll -> Missing File
C:\WINDOWS\System32\rmzdzx.dll -> Missing File
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0656A137-B161-CADD-9777-E37A75727E78}"="OLE Module"
»»»»»»»»»»»»»»»»»»»»»»»» End
|
Senior Member
|
17. June 2006 @ 22:36 |
Link to this message
|
@kaleed
OK almost clean.
Install a firewall.
Move HijackThis into its own folder C:\HJT
Open Notepad
-> copy the following lines into a new document:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{a2cd90b5-e5a2-4aac-a504-c964a6d499df}"=-
[-HKEY_CLASSES_ROOT\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
[-HKEY_CURRENT_USER\Software\Classes\CLSID\{a2cd90b5-e5a2-4aac-a504-c964a6d499df}\InProcServer32]
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and run the file Fix.reg and answer yes to any questions.
Fix this entry with HijackThis:
O2 - BHO: (no name) - {9D177C4E-765C-4DCC-8241-7E83DF6CAABB} - C:\WINDOWS\system32\awtst.dll (file missing)
* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once the scan is ready, rightclick list box (white box that lists the found files) and choose Add more files
* Copy/Paste the following two lines to the upper field:
C:\WINDOWS\SYSTEM32\efcbaww.dll
C:\WINDOWS\system32\wwabcfe.*
* Click Add Files and click Close Window
* Click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on
Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)
Post the contents of this textfile to here.
Post a new HijackThis log and the contents of C:\vundofix.txt and the smitfraudfix log.
---------------------------------------------------------------------------------------------------------------
@blondman
You don't have a firewall on your computer. Download and install one firewall.
These are good (free) firewalls:
ZoneAlarm --> http://www.zonelabs.com
Kerio--> http://www.sunbelt-software.com/Kerio.cfm
Outpost-> http://www.agnitum.com
Ok, you got some infections on your computer....
Cleaning instructions:
Download and install Ewido anti-malware -> http://www.ewido.net/en/download
Update it, but do NOT run a scan yet. We'll use it later.
Go to Control Panel -> Add/Remove programs -> Remove PuritySCAN By OIN, OuterInfo, OIN if found
If you can't find PuritySCAN By OIN, OuterInfo, OIN from the list, download this uninstaller -> http://www.outerinfo.com/OiUninstaller.exe
Run the uninstaller, instructions here if needed -> http://www.outerinfo.com/howto.html
Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked
O4 - HKLM\..\RunServices: [CMD] cmd32.exe
Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml
Use the Windows "search" function
-> Start
-> Search
-> All files and folders
-> More advanced options
Checkmark these options:
- "Search system folders"
- "Search hidden files and folders"
- "Search subfolders"
->Search for this and delete if found: cmd32.exe
Delete this folder if found:
C:\Program Files\PurityScan
When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.
You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.
The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".
The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.
Tha log is saved to your local diskdrive, usually C:\rapport.txt.
Warning : Running option 2 in a clean computer will delete your desktop wallpaper.
Scan and clean your computer with Ewido and save the report.
Clean the Recycle bin and make your hidden files visible again.
Post the following logs to here:
-> a fresh HijackThis log
-> Ewido's log
-> contents of C:\Rapport.txt
---------------------------------------------------------------------------------------------------------------
@searay185
Not clean yet...
Open Notepad
-> copy the following lines into a new document:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0656A137-B161-CADD-9777-E37A75727E78}"=-
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and run the file Fix.reg and answer yes to any questions.
Run a scan with Panda Active Scan -> http://www.pandasoftware.com/products/ActiveScan.htm
When it is ready, post its log to here.
Download and run a scan with -> http://www.bleepingcomputer.com/files/winpfind.php
Post its log to here.
Post also a new HijackThis log to here.
---------------------------------------------------------------------------------------------------------------
@Lowe017
Please post a HijackThis log to here and we'll get you cleaned.
Intructions for HjT posting -> http://forums.afterdawn.com/thread_view.cfm/263784
(steps 3-5)
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
This message has been edited since posting. Last time this message was edited on 17. June 2006 @ 22:38
|
|
blondman
Junior Member
|
18. June 2006 @ 03:59 |
Link to this message
|
Logfile of HijackThis v1.99.1
Scan saved at 10:17:22, on 18/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
O3 - Toolbar: BigPond Toolbar - {7A431EC4-CC21-4DF7-9DB1-A2CF74C4CC98} - C:\Program Files\Telstra\Toolbar\bpumToolBand.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [CMD] cmd32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://D:\components\hidinputmonitorx.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/...
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file://D:\components\A9.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cl...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/m...
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpbasicdetection3.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\lsass.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
|
|
Advertisement
|
|
|
|
blondman
Junior Member
|
18. June 2006 @ 04:02 |
Link to this message
|
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 21:51:44, 18/06/2006
+ Report-Checksum: F92C31B3
+ Scan result:
[228] C:\WINDOWS\system32\lsass.dll -> Adware.PurityScan : Cleaned without backup
[276] C:\WINDOWS\system32\lsass.dll -> Adware.PurityScan : Error during cleaning
[288] C:\WINDOWS\system32\lsass.dll -> Adware.PurityScan : Error during cleaning
[452] C:\WINDOWS\system32\lsass.dll -> Adware.PurityScan : Error during cleaning
[520] C:\WINDOWS\system32\lsass.dll -> Adware.PurityScan : Error during cleaning
[572] C:\WINDOWS\system32\lsass.dll -> Adware.PurityScan : Error during cleaning
[956] C:\WINDOWS\system32\lsass.dll -> Adware.PurityScan : Error during cleaning
C:\Documents and Settings\User\Cookies\user@2o7[2].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\User\Cookies\user@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\User\Cookies\user@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\User\Cookies\user@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned without backup
C:\My Shared Folder\Nero 5.5.9.14 Full + All Plugins Updates + Serial Keygen.exe -> Worm.Steph : Cleaned without backup
C:\My Shared Folder\Nero Burning ROM crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\My Shared Folder\psp movie creator keygen.exe -> Dropper.Agent.xd : Cleaned without backup
C:\My Shared Folder\QuickTime.Player.Pro.v7.0.Final.Crack-Keygen.WinAll.zip/dbc-crack.exe -> Adware.Visua : Cleaned without backup
C:\WINDOWS\system32\lsass.dll -> Adware.PurityScan : Cleaned without backup
C:\WINDOWS\system32\opnkhhe.dll -> Adware.Virtumonde : Cleaned without backup
C:\WINDOWS\Temp\WSu.exe -> Adware.PurityScan : Cleaned without backup
C:\WINDOWS\User32\ACDSee 5.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Ad-aware 6.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Age of Empires 2 crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Animated Screen 7.0b.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Anno 1503_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\AOL Instant Messenger.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\AquaNox2 Crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Audiograbber 2.05.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\BabeFest 2003 ScreenSaver 1.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Babylon 3.50b reg_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Battlefield1942_bloodpatch.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Battlefield1942_keygen.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Business Card Designer Plus 7.9.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\C&C Generals_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\C&C Renegade_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Clone CD 5.0.0.3 (crack).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Clone CD 5.0.0.3.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Coffee Cup Free HTML 7.0b.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Cool Edit Pro v2.55.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Diablo 2 Crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\DirectDVD 5.0.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\DirectX Buster (all versions).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\DirectX InfoTool.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\DivX Video Bundle 6.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Download Accelerator Plus 6.1.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\DVD Copy Plus v5.0.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\DVD Region-Free 2.3.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\FIFA2003 crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Final Fantasy VII XP Patch 1.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Flash MX crack (trial).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\FlashGet 1.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\FreeRAM XP Pro 1.9.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\GetRight 5.0a.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Global DivX Player 3.0.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Gothic 2 licence.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\GTA 3 Crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\GTA 3 patch (no cd).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Guitar Chords Library 5.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Hitman_2_no_cd_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Hot Babes XXX Screen Saver.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\ICQ Lite (new).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\ICQ Pro 2003a.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\ICQ Pro 2003b (new beta).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\iMesh 3.6.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\iMesh 3.7b (beta).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\IrfanView 4.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\KaZaA Hack 2.5.0.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\KaZaA Lite (New).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\KaZaA Speedup 3.6.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Links 2003 Golf game (crack).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Living Waterfalls 1.3.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Mafia_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Matrix Screensaver 1.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\MediaPlayer Update.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\mIRC 6.40.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\mp3Trim PRO 2.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\MSN Messenger 5.2.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\NBA2003_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Need 4 Speed crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Nero Burning ROM crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Netfast 1.8.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Network Cable e ADSL Speed 2.0.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Neverwinter_Nights_licence.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\NHL 2003 crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Nimo CodecPack (new) 8.0.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\PalTalk 5.01b.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Pop-Up Stopper 3.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Popup Defender 6.5.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\QuickTime_Pro_Crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Serials 2003 v.8.0 Full.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\SmartFTP 2.0.0.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\SmartRipper v2.7.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Space Invaders 1978.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Splinter_Cell_Crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Steinberg_WaveLab_5_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Trillian 0.85 (free).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\TweakAll 3.8.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Unreal2_bloodpatch.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Unreal2_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\UT2003_bloodpatch.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\UT2003_keygen.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\UT2003_no cd (crack).exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\UT2003_patch.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\WarCraft_3_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Winamp 3.8.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\WindowBlinds 4.0.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\WinOnCD 4 PE_crack.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\WinZip 9.0b.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Yahoo Messenger 6.0.exe -> Worm.Tanked.14 : Cleaned without backup
C:\WINDOWS\User32\Zelda Classic 2.00.exe -> Worm.Tanked.14 : Cleaned without backup
::Report End
|
|
