Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HijackThis log/ Ewido report

Started by KillEmAll83 , Apr 09 2006 06:22 PM

  • Please log in to reply

#1
KillEmAll83
Posted 09 April 2006 - 06:22 PM

KillEmAll83

    Member

  • Member
  • PipPip
  • 66 posts
Originated from this thread.



Logfile of HijackThis v1.99.1
Scan saved at 7:17:17 PM, on 09/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Programs\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dnadgeijd...7QLalS73kfB.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://cuathome.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=C:\WINDOWS\system32\fiijbcqjb\csrss.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: TChkBHO Class - {76EE4E57-207E-4A80-9BF5-40FEF152A378} - (no file)
O2 - BHO: (no name) - {7A6E98A7-B238-FBA7-DFD6-496577790167} - C:\DOCUME~1\ANTHON~1\APPLIC~1\LONGBIRD\BIKEMORE.exe
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [dupeknob] C:\DOCUME~1\ANTHON~1\APPLIC~1\CITYKI~1\Play flaw.exe
O4 - HKCU\..\Run: [MessengerPlus3] "\" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: csrss.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - D:\Programs\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Programs\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - D:\Programs\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\Programs\GetRight\GRbrowse.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mu3: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .mus: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .myr: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .myt: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...w.viewpoint.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalr...zard3.0.4.3.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry....yFamilyTree.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093099032154
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1120413439763
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://data6.archive..._cab/MrSIDI.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instants...erxsigned32.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installen...gine/isetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.en.msn....ior/Outside.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetal...r/dlControl.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://tgs.gov.mb.ca...LoadIE/Acgm.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: tradehack - tradehack.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe








---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:56:55 PM, 4/9/2006
+ Report-Checksum: E9A638DD

+ Scan result:

C:\WINDOWS\SYSTEM32\fiijbcqjb\pspv.exe -> Not-A-Virus.PSWTool.Win32.PassView.162 : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.a : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\F830C873-D649-4731-9EF5-40E82D\BF72928A-57B9-4415-BFEB-344429 -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\Anthony Lenting\Cookies\anthony [email protected][2].txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
-> : Error during cleaning
:mozilla.33:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
-> : Error during cleaning
:mozilla.64:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Anthony Lenting\Application Data\Mozilla\Firefox\Profiles\663dmq98.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Oewabox : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.143:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Nathan Lenting\Application Data\Mozilla\Firefox\Profiles\ulxiodtt.default\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup
C:\rundll32.exe -> Not-A-Virus.Monitor.Win32.Perflogger.ad : Cleaned with backup


::Report End


Hopefully someone can help. :whistling:
  • 0

Advertisements

#2
loophole
Posted 11 April 2006 - 07:14 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi KillEmAll83 :whistling:

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=C:\WINDOWS\system32\fiijbcqjb\csrss.exe
O2 - BHO: TChkBHO Class - {76EE4E57-207E-4A80-9BF5-40FEF152A378} - (no file)
O2 - BHO: (no name) - {7A6E98A7-B238-FBA7-DFD6-496577790167} - C:\DOCUME~1\ANTHON~1\APPLIC~1\LONGBIRD\BIKEMORE.exe
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKCU\..\Run: [dupeknob] C:\DOCUME~1\ANTHON~1\APPLIC~1\CITYKI~1\Play flaw.exe
O4 - HKCU\..\Run: [MessengerPlus3] "\" /WinStart
O4 - Startup: csrss.lnk = ?
O20 - Winlogon Notify: tradehack - tradehack.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.


Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

MessengerPlus3


Download Findlop by Metallica. Unzip it to your desktop.
Double click findlop.bat. It will open a notepad file.
Copy the content of that file and paste it here in your reply along with a new Hijack log

Thanks :blink:
  • 0

#3
KillEmAll83
Posted 11 April 2006 - 06:09 PM

KillEmAll83

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Hello, loophole. Thanks for replying. :blink:

I re-opened HijackThis and checked the things you told me to, and it gave me these two errors (one right after the other):

error3.JPG
error4.JPG

I looked in the task manager and it says csrss.exe is running, but I felt uncomfortable ending the process. Should I end it?

And sorry for the wait, I had school today. :whistling:
  • 0

#4
loophole
Posted 11 April 2006 - 08:39 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi. No problem on the delay.

I believe thats the legit one running. I am pretty sure the "malware" one is gone.
We can remove them manually then. Hijack has trouble fixing those entries for some reoson

Go ahead and post the results of the find.lop and a new hijack log.

Thanks :whistling:
  • 0

#5
KillEmAll83
Posted 11 April 2006 - 09:19 PM

KillEmAll83

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:17:46 PM, on 11/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
c:\progra~1\intern~1\iexplore.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\64LINK~1\ANTIMP~1.EXE
D:\Programs\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Anthony Lenting\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dnadgeijd...7QLalS73kfB.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://cuathome.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [dupeknob] C:\DOCUME~1\ANTHON~1\APPLIC~1\CITYKI~1\Play flaw.exe
O4 - Startup: csrss.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - D:\Programs\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Programs\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - D:\Programs\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\Programs\GetRight\GRbrowse.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mu3: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .mus: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .myr: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .myt: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...w.viewpoint.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalr...zard3.0.4.3.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry....yFamilyTree.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093099032154
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1120413439763
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://data6.archive..._cab/MrSIDI.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instants...erxsigned32.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installen...gine/isetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.en.msn....ior/Outside.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetal...r/dlControl.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://tgs.gov.mb.ca...LoadIE/Acgm.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe








findlop:


[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'PCHealth Scheduler for Data Collection.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE'
Parameters: ' -c'
WorkingDirectory: ''
Comment: 'Scheduled Task for PC Health Scheduler (Data Collection)'
Creator: 'SYSTEM'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 5
IdleDeadline: 32767
MostRecentRun: 07/12/2000 21:02:32
NextRun: 04/11/2006 22:18:00
StartError: SCHED_E_ACCOUNT_INFORMATION_NOT_SET
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 1
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 03/16/2002
EndDate: 00/00/0000
StartTime: 11:08
MinutesDuration: 1440
MinutesInterval: 10
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'Tune-up Application Start.job'
[TRACE] Printing all job properties

ApplicationName: 'walign'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'mleo'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 05/03/2006 9:00:00
StartError: SCHED_E_ACCOUNT_INFORMATION_NOT_SET
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 1
KillIfGoingOnBatteries = 1
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
TaskFlags: 0

8 Triggers

Trigger 0:
Type: MonthlyDOW
Week: 1
DaysOfTheWeek: ...W...
Months: JanFebMarAprMayJunJulAugSepOctNovDec
StartDate: 11/22/1997
EndDate: 00/00/0000
StartTime: 09:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Trigger 1:
Type: MonthlyDOW
Week: 1
DaysOfTheWeek: ...W...
Months: JanFebMarAprMayJunJulAugSepOctNovDec
StartDate: 11/22/1997
EndDate: 00/00/0000
StartTime: 14:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Trigger 2:
Type: MonthlyDOW
Week: 1
DaysOfTheWeek: ...W...
Months: JanFebMarAprMayJunJulAugSepOctNovDec
StartDate: 11/22/1997
EndDate: 00/00/0000
StartTime: 19:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Trigger 3:
Type: MonthlyDOW
Week: 1
DaysOfTheWeek: ...W...
Months: JanFebMarAprMayJunJulAugSepOctNovDec
StartDate: 11/22/1997
EndDate: 00/00/0000
StartTime: 23:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Trigger 4:
Type: MonthlyDOW
Week: 1
DaysOfTheWeek: ......A
Months: JanFebMarAprMayJunJulAugSepOctNovDec
StartDate: 11/22/1997
EndDate: 00/00/0000
StartTime: 09:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Trigger 5:
Type: MonthlyDOW
Week: 1
DaysOfTheWeek: ......A
Months: JanFebMarAprMayJunJulAugSepOctNovDec
StartDate: 11/22/1997
EndDate: 00/00/0000
StartTime: 14:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Trigger 6:
Type: MonthlyDOW
Week: 1
DaysOfTheWeek: ......A
Months: JanFebMarAprMayJunJulAugSepOctNovDec
StartDate: 11/22/1997
EndDate: 00/00/0000
StartTime: 19:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Trigger 7:
Type: MonthlyDOW
Week: 1
DaysOfTheWeek: ......A
Months: JanFebMarAprMayJunJulAugSepOctNovDec
StartDate: 11/22/1997
EndDate: 00/00/0000
StartTime: 23:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'Video Reminder.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\TUNEUP.EXE'
Parameters: '/COOL'
WorkingDirectory: 'C:\WINDOWS'
Comment: ''
Creator: ''
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 00/00/0000 0:00:00
StartError: SCHED_S_TASK_HAS_NOT_RUN
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Once
StartDate: 03/16/2002
EndDate: 00/00/0000
StartTime: 11:28
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'Uninstall Expiration Reminder.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\System32\OOBE\oobebaln.exe'
Parameters: '/sys /u /n:1'
WorkingDirectory: ''
Comment: ''
Creator: 'SYSTEM'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 04/11/2006 23:04:00
StartError: SCHED_E_ACCOUNT_INFORMATION_NOT_SET
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 04/15/2002
EndDate: 00/00/0000
StartTime: 12:04
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'AC943CA9918BAF09.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\nathan~1\applic~1\cityki~1\ford intra style.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Nathan Lenting'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 04/11/2006 22:00:00
NextRun: 04/11/2006 23:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/23/1995
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'AE4EDC2091894CA8.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\anthon~1\applic~1\cityki~1\ford intra style.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Anthony Lenting'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 04/11/2006 22:00:01
NextRun: 04/11/2006 23:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 02/13/1999
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0






I noticed that this "Play Flaw" file is back again, and that csrss is still there.
  • 0

#6
loophole
Posted 12 April 2006 - 01:24 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi KillEmAll83 :whistling:

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Save it to your desktop


    Copy everything inside the quote box below (starting with @) and paste it into notepad. Go up to "File > Save As", click the drop-down box to change the "Save As Type" to "All Files". Save it as remlop.bat on your desktop.


    @echo off
    cd C:\WINDOWS\Tasks
    attrib -r -s -h AC943CA9918BAF09.job
    del AC943CA9918BAF09.job
    attrib -r -s -h AE4EDC2091894CA8.job
    del AE4EDC2091894CA8.job
    exit



    Double-click remlop.bat A window will open and close quickly, this is normal.

    Next, please reboot your computer in SafeMode by doing the following
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Show Hidden Files and Folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab. Under the Hidden files and
  • folders heading, select Show hidden files and folders.
  • Uncheck: Hide file extensions for known file types
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
    • Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

      C:\Documents and settings\ANTHON\application data\LONGBIRD
      C:\Documents and settings\nathan\application data\cityki <<< first six letters of the folders name



      Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browserClick Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browserClick Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.


    Reboot


    Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:[list]
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#7
KillEmAll83
Posted 12 April 2006 - 09:12 PM

KillEmAll83

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Hehe. This is taking a while. Just to update, while Kaspersky does it's LONG thing. :whistling:


I've done everything you've said and 1 hour in the scanner is at 21%. I'll post as soon as it's done. :blink:
  • 0

#8
KillEmAll83
Posted 12 April 2006 - 10:45 PM

KillEmAll83

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Here you are, it just finished. (Finally! :whistling: )


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, April 12, 2006 11:44:43 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 13/04/2006
Kaspersky Anti-Virus database records: 187876
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 55159
Number of viruses found: 20
Number of infected objects: 58
Number of suspicious objects: 2
Duration of the scan process: 02:35:05

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\mopatch.exe/WISE0010.BIN Infected: not-a-virus:AdWare.Win32.WurldMedia.c skipped
C:\WINDOWS\SYSTEM32\mopatch.exe/WISE0011.BIN Infected: not-a-virus:AdWare.Win32.WurldMedia.b skipped
C:\WINDOWS\SYSTEM32\mopatch.exe WiseSFX: infected - 2 skipped
C:\WINDOWS\SYSTEM32\moaupd.exe/WISE0012.BIN Infected: not-a-virus:AdWare.Win32.WurldMedia.h skipped
C:\WINDOWS\SYSTEM32\moaupd.exe WiseSFX: infected - 1 skipped
C:\WINDOWS\SYSTEM32\bde3dref3K7.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.35684 skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\892219C6-4AD2-47B1-B543-A0F982\0470DE24-8E50-45D9-9144-B86685 Infected: Trojan-Downloader.Win32.Swizzor.bo skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\69AEAA84-399E-48D8-9935-F847A5\2A79C5E8-2024-4B63-AB82-CF2DE2 Infected: Trojan-Downloader.Win32.Swizzor.bo skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\2B025605-7117-404C-AC58-E3CB51\2B91C31E-6B31-460C-B9FF-4C08C9 Infected: Trojan-Downloader.Win32.Swizzor.bo skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\6064F030-23D9-464C-A39E-3315DB\86AB1BE9-EC6E-4C95-A645-04CD85 Infected: Trojan-Downloader.Win32.Swizzor.bo skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent8.zip/backup/1.6.0.037/wcmdmgrl.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent8.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\64 link body knob\grey intra.exe Infected: not-a-virus:AdWare.Win32.Lop.ad skipped
C:\Documents and Settings\All Users\Application Data\64 link body knob\mags cast.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\All Users\Application Data\64 link body knob\Gpl Move.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\All Users\Application Data\64 link body knob\FlagPeak.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\All Users\Application Data\64 link body knob\Multi Log.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\All Users\Application Data\64 link body knob\About option.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\All Users\Application Data\64 link body knob\anti mpeg.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\Anthony Lenting\Desktop\backups\backup-20060411-190121-677.dll Infected: Trojan-Downloader.Win32.Swizzor.bo skipped
C:\Documents and Settings\Anthony Lenting\Application Data\city kind way\mhnzrrnx.exe Infected: not-a-virus:AdWare.Win32.Lop.z skipped
C:\Documents and Settings\Anthony Lenting\Application Data\city kind way\ford intra style.exe Infected: Trojan-Downloader.Win32.Swizzor.cb skipped
C:\Documents and Settings\Anthony Lenting\Application Data\city kind way\axevtvei.exe Infected: not-a-virus:AdWare.Win32.Lop.z skipped
C:\Documents and Settings\Anthony Lenting\Application Data\city kind way\hphzulkp.exe Infected: Trojan-Downloader.Win32.Swizzor.dh skipped
C:\Documents and Settings\Anthony Lenting\Application Data\city kind way\hoatubea.exe Infected: not-a-virus:AdWare.Win32.Lop.ab skipped
C:\Documents and Settings\Anthony Lenting\Application Data\city kind way\yidinjms.exe Infected: not-a-virus:AdWare.Win32.Lop.ad skipped
C:\Documents and Settings\Anthony Lenting\Application Data\city kind way\Play flaw.exe Infected: not-a-virus:AdWare.Win32.Lop.m skipped
C:\Documents and Settings\Anthony Lenting\Application Data\city kind way\aoblpfwn.exe Infected: not-a-virus:AdWare.Win32.Lop.ad skipped
C:\Documents and Settings\Anthony Lenting\Application Data\city kind way\flmrklsz.exe Infected: not-a-virus:AdWare.Win32.Lop.ad skipped
C:\Documents and Settings\Anthony Lenting\Application Data\city kind way\fzbwkdce.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\Anthony Lenting\Application Data\city kind way\zgrzwfaz.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\Anthony Lenting\Application Data\city kind way\uamhealw.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\Anthony Lenting\Application Data\city kind way\kdlzdhks.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\Anthony Lenting\Application Data\city kind way\mretjjnn.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\Anthony Lenting\Application Data\city kind way\nbdzgvxp.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\Anthony Lenting\Application Data\city kind way\ddknreuy.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\Anthony Lenting\Application Data\city kind way\srrhkrbl.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\Anthony Lenting\Application Data\city kind way\vqgoqnxj.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\Anthony Lenting\Application Data\city kind way\xtkfegem.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped
C:\Documents and Settings\Anthony Lenting\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-5e8d4960.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\Anthony Lenting\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-5e8d4960.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Nathan Lenting\My Documents\My Pictures\Install-Animated-Emoticons.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\Documents and Settings\Nathan Lenting\My Documents\My Pictures\Install-Animated-Emoticons.exe/stream/data0005/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\Documents and Settings\Nathan Lenting\My Documents\My Pictures\Install-Animated-Emoticons.exe/stream/data0005/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Nathan Lenting\My Documents\My Pictures\Install-Animated-Emoticons.exe/stream/data0005/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Nathan Lenting\My Documents\My Pictures\Install-Animated-Emoticons.exe/stream/data0005/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Nathan Lenting\My Documents\My Pictures\Install-Animated-Emoticons.exe/stream/data0005/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Nathan Lenting\My Documents\My Pictures\Install-Animated-Emoticons.exe/stream/data0005/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Nathan Lenting\My Documents\My Pictures\Install-Animated-Emoticons.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Nathan Lenting\My Documents\My Pictures\Install-Animated-Emoticons.exe/stream Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Nathan Lenting\My Documents\My Pictures\Install-Animated-Emoticons.exe NSIS: infected - 9 skipped
C:\Documents and Settings\Big Guy\Local Settings\Application Data\Identities\{F1686067-AB2D-48D2-9434-28F8451D1C4B}\Microsoft\Outlook Express\alt.sex.orgy.dbx/[From [email protected]][Date Tue, 24 Feb 2004 13:48:21 GMT]/C:/ Infected: Backdoor.Win32.Loony.c skipped
C:\Documents and Settings\Big Guy\Local Settings\Application Data\Identities\{F1686067-AB2D-48D2-9434-28F8451D1C4B}\Microsoft\Outlook Express\alt.sex.orgy.dbx Mail MS Outlook 5: infected - 1 skipped
C:\Documents and Settings\Big Guy\Local Settings\Application Data\Identities\{F1686067-AB2D-48D2-9434-28F8451D1C4B}\Microsoft\Outlook Express\alt.bainaries.pictures.teen-idols.dbx/[From [email protected]][Date Thu, 15 Apr 2004 08:56:40 GMT]/C:/rape/Copy Infected: Backdoor.Win32.SdBot.jb skipped
C:\Documents and Settings\Big Guy\Local Settings\Application Data\Identities\{F1686067-AB2D-48D2-9434-28F8451D1C4B}\Microsoft\Outlook Express\alt.bainaries.pictures.teen-idols.dbx Mail MS Outlook 5: infected - 1 skipped
C:\Documents and Settings\Big Guy\Local Settings\Application Data\Identities\{F1686067-AB2D-48D2-9434-28F8451D1C4B}\Microsoft\Outlook Express\alt.binaries.pictures.erotica.cheerleader.dbx/[From "demi" <[email protected]>][Date Sat, 3 Dec 2005 17:39:50 GMT]/teen_hardcore_from_demi.wmv Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Documents and Settings\Big Guy\Local Settings\Application Data\Identities\{F1686067-AB2D-48D2-9434-28F8451D1C4B}\Microsoft\Outlook Express\alt.binaries.pictures.erotica.cheerleader.dbx Mail MS Outlook 5: infected - 1 skipped
C:\Documents and Settings\Big Guy\Local Settings\Application Data\Identities\{F1686067-AB2D-48D2-9434-28F8451D1C4B}\Microsoft\Outlook Express\alt.penthouse.sex.swingers.dbx/[From [email protected]][Date Fri, 2 Dec 2005 05:21:38 GMT]/teen_hardcore_video.wmv Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Documents and Settings\Big Guy\Local Settings\Application Data\Identities\{F1686067-AB2D-48D2-9434-28F8451D1C4B}\Microsoft\Outlook Express\alt.penthouse.sex.swingers.dbx Mail MS Outlook 5: infected - 1 skipped
C:\Documents and Settings\Big Guy\Application Data\LONGBIRD\BIKEMORE.exe Infected: Trojan-Downloader.Win32.Swizzor.bo skipped

Scan process completed.
  • 0

#9
KillEmAll83
Posted 12 April 2006 - 10:48 PM

KillEmAll83

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Hehehe..... my dad and his "special" websites. I gotta get on his case about that. :whistling:

Edited by KillEmAll83, 12 April 2006 - 10:51 PM.

  • 0

#10
loophole
Posted 12 April 2006 - 11:13 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
No problem :whistling:

Not much farther to go

Looks like those folders are still there. Did you have trouble deleting them?

I normally wont reach for this tool but I hate this infection. You need to clean the Outlook express infected Emails out. Browse to the bottom of the Kaspersky report and it will tell you exactly what the infected ones are

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\SYSTEM32\mopatch.exe
C:\WINDOWS\SYSTEM32\bde3dref3K7.dll
C:\Documents and Settings\Nathan Lenting\My Documents\My Pictures\Install-Animated-Emoticons.exe
Folders to delete:
C:\Documents and Settings\All Users\Application Data\64 link body knob
C:\Documents and Settings\Anthony Lenting\Application Data\city kind way
C:\Documents and Settings\Big Guy\Application Data\LONGBIRD


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
  • 0

Advertisements

#11
KillEmAll83
Posted 13 April 2006 - 03:13 PM

KillEmAll83

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
No, that's weird. I deleted the folders you told me to but it seems they're still there. :whistling: And when I started my computer up these "play flaw" and "anti-mp3" programs were trying to access internet explorer. (ZoneAlarm caught that) I'll get on these instructions.





Thanks. :blink:
  • 0

#12
KillEmAll83
Posted 13 April 2006 - 03:41 PM

KillEmAll83

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
So, to clean all the emails out what should I do? Go into my dad's email and try to find them?



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ffexohub

*******************

Script file located at: \??\C:\Program Files\esbbauhx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SYSTEM32\mopatch.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\bde3dref3K7.dll deleted successfully.
File C:\Documents and Settings\Nathan Lenting\My Documents\My Pictures\Install-Animated-Emoticons.exe deleted successfully.
Folder C:\Documents and Settings\All Users\Application Data\64 link body knob deleted successfully.
Folder C:\Documents and Settings\Anthony Lenting\Application Data\city kind way deleted successfully.
Folder C:\Documents and Settings\Big Guy\Application Data\LONGBIRD deleted successfully.

Completed script processing.

*******************

Finished! Terminate.




Logfile of HijackThis v1.99.1
Scan saved at 4:40:13 PM, on 13/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
D:\Programs\firefox.exe
C:\Documents and Settings\Anthony Lenting\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dnadgeijd...7QLalS73kfB.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://cuathome.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [dupeknob] C:\DOCUME~1\ANTHON~1\APPLIC~1\CITYKI~1\Play flaw.exe
O4 - Startup: csrss.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - D:\Programs\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Programs\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - D:\Programs\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\Programs\GetRight\GRbrowse.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mu3: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .mus: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .myr: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .myt: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...w.viewpoint.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalr...zard3.0.4.3.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry....yFamilyTree.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093099032154
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1120413439763
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://data6.archive..._cab/MrSIDI.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instants...erxsigned32.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installen...gine/isetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.en.msn....ior/Outside.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetal...r/dlControl.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://tgs.gov.mb.ca...LoadIE/Acgm.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
  • 0

#13
loophole
Posted 13 April 2006 - 06:34 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi KillEmAll83
:whistling:

You or your dad will have to delete those. Strange as it sounds I don't feel "right" about deleting someone elses e-mail.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dnadgeijd...7QLalS73kfB.jsp
O4 - HKCU\..\Run: [dupeknob] C:\DOCUME~1\ANTHON~1\APPLIC~1\CITYKI~1\Play flaw.exe
O4 - Startup: csrss.lnk = ?

Now close all windows other than HiJackThis, then click Fix Checked

Reboot

Post a new Hijack log

Let me know if you get the error when fixing that csrss line again and we will get it manually

Thanks
  • 0

#14
KillEmAll83
Posted 13 April 2006 - 11:35 PM

KillEmAll83

    Member

  • Topic Starter
  • Member
  • PipPip
  • 66 posts
Hey loophole. :whistling:

Yes, I had the error again while trying to remove csrss.


Logfile of HijackThis v1.99.1
Scan saved at 12:34:53 AM, on 14/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Programs\firefox.exe
C:\Documents and Settings\Anthony Lenting\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://cuathome.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: csrss.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - D:\Programs\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Programs\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - D:\Programs\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\Programs\GetRight\GRbrowse.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mu3: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .mus: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .myr: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O12 - Plugin for .myt: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...w.viewpoint.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalr...zard3.0.4.3.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry....yFamilyTree.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093099032154
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1120413439763
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://data6.archive..._cab/MrSIDI.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instants...erxsigned32.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installen...gine/isetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.en.msn....ior/Outside.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetal...r/dlControl.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://tgs.gov.mb.ca...LoadIE/Acgm.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
  • 0

#15
loophole
Posted 14 April 2006 - 08:07 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi KillEmAll83 :whistling:

I reviewed our thread and I think we are about done. I do need you to delete this file I missed

C:\WINDOWS\SYSTEM32\moaupd.exe

Next

Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as fix.reg (set File type to "All Files" ) and save it on your Desktop

REGEDIT 4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"csrss"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"csrss"=-


Now Locate and DoubleClick fix.reg-> Allow it to merge into the Registry!

Post a new Hijack log and lets see if that worked

Thanks

Edited by loophole, 14 April 2006 - 08:08 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP