Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32.Trojan.Downloader

Started by SilkWWU , Mar 28 2006 05:58 PM

  • Please log in to reply

#1
SilkWWU
Posted 28 March 2006 - 05:58 PM

SilkWWU

    New Member

  • Member
  • Pip
  • 4 posts
Ok, this nasty little trojan has officially taken out my Microsoft Office pack, so I would appreciate some help on getting rid of it. I ran AdAware in safe mode, and got this... win32.trojan.downloader. Here is my hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 3:53:16 PM, on 3/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Common Files\AOL\1128570150\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1128570150\ee\AOLServiceHost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\PC Tools AntiVirus\ScanningProcess.exe
C:\Program Files\PC Tools AntiVirus\ScanningProcess.exe
C:\Program Files\Common Files\AOL\1128570150\ee\AOLServiceHost.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\TRAVIS~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128570150\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [Poker Messenger] "C:\Program Files\Poker Messenger\Poker Messenger.exe" -r
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.2.76.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by3fd.bay3.ho...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108659059125
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)



Please help me. :whistling:
  • 0

Advertisements

#2
Tigger93
Posted 31 March 2006 - 08:19 PM

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Hello SilkWWU and welcome to Geekstogo.

Soory for your delay. I'm currently checking your log and will post back with a reply shortly. :whistling:
  • 0

#3
Tigger93
Posted 31 March 2006 - 08:43 PM

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
You are currently using HijackThis from a temporary directory, this can cause problems.
HijackThis creates backups, these are needed in case of any recovery issues.
Please create a directory on your C:\ drive called C:\HJT, download and unzip HijackThis into that directory. Run the program from that directory from now on.

STEPS For Creating Folder
  • 1. Please go to My Computer, open your C:\ drive, Select: New >> Folder and name the folder HJT.

    2. Download HijackThis to the new folder:

    3. Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder.

    ==================================================
    Before we go on, can you tell me weather you install these programs intentionally?[list]
  • Poker Messenger
  • EmpirePoker
  • UltimateBet
  • PartyGaming
  • royalvegasMPP


If you did, you you use them? Please let me know in your next reply.
==================================================
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Viewpoint Toolbar
Ebates_MoeMoneyMaker

Please note any other programs that you dont recognize in that list in your next response

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\Viewpoint\
C:\Program Files\Ebates_MoeMoneyMaker\

After that, Reboot.

Please post a new HiJackThis log and the results about those programs, please. :whistling:
  • 0

#4
SilkWWU
Posted 01 April 2006 - 04:01 AM

SilkWWU

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I had installed a bunch of poker programs yes. But I deleted all of them when I rebooted into safe mode EXCEPT party poker and Ultimatebet.net/.com. I also ran adaware and found that the trojan still showed up, so we haven't gotten it yet. (I then went and tested this and found that my Microsoft Office programs still do not run. So here is my new and improved HJT folder. Thanks for coming to my rescue.

Logfile of HijackThis v1.99.1
Scan saved at 1:57:17 AM, on 4/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Common Files\AOL\1128570150\ee\AOLHostManager.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\AOL\1128570150\ee\AOLServiceHost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\PC Tools AntiVirus\ScanningProcess.exe
C:\Program Files\PC Tools AntiVirus\ScanningProcess.exe
C:\Program Files\Common Files\AOL\1128570150\ee\AOLServiceHost.exe
C:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128570150\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.2.76.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by3fd.bay3.ho...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108659059125
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
  • 0

#5
Tigger93
Posted 01 April 2006 - 10:54 AM

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Hello again.

Re-open HJT and fix the following:
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe

Please download ewido anti-malware it is a free version of the program.
  • Install ewido anti-malware
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.

Please post back with a new HiJackThis log and the Ewido log, please. :whistling:
  • 0

#6
SilkWWU
Posted 01 April 2006 - 02:49 PM

SilkWWU

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Ok here is my two scans. I had a 111 objects infected and cleaned, so we will see what this does.

EWIDO SCAN LOG[/u]

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:45:00 PM, 4/1/2006
+ Report-Checksum: 578601F7

+ Scan result:

HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy -> Adware.SearchRelevancy : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy\Update -> Adware.SearchRelevancy : Cleaned with backup
[1332] C:\WINDOWS\system32\taskdir.dll -> Proxy.Lager.aq : Error during cleaning
[340] C:\WINDOWS\system32\taskdir.dll -> Proxy.Lager.aq : Error during cleaning
[1020] C:\WINDOWS\system32\taskdir.dll -> Proxy.Lager.aq : Error during cleaning
[2128] C:\WINDOWS\system32\taskdir.dll -> Proxy.Lager.aq : Error during cleaning
[3960] C:\WINDOWS\system32\taskdir.dll -> Proxy.Lager.aq : Error during cleaning
:mozilla.14:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Firefox\Profiles\iq836tru.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Cookies\travis greenwood@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Cookies\travis [email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Cookies\travis greenwood@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Cookies\travis greenwood@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Cookies\travis greenwood@burstnet[3].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Cookies\travis greenwood@cliks[2].txt -> TrackingCookie.Cliks : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Cookies\travis greenwood@cliks[4].txt -> TrackingCookie.Cliks : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Cookies\travis greenwood@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Cookies\travis [email protected][1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Cookies\travis [email protected][2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Cookies\travis greenwood@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Cookies\travis [email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Cookies\travis greenwood@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Cookies\travis [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Cookies\travis greenwood@sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Cookies\travis greenwood@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Cookies\travis [email protected][1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Local Settings\Temp\Cookies\travis greenwood@abetterinternet[2].txt -> TrackingCookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Local Settings\Temp\Cookies\travis [email protected][2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Local Settings\Temp\Cookies\travis greenwood@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Local Settings\Temp\Cookies\travis greenwood@cliks[2].txt -> TrackingCookie.Cliks : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Local Settings\Temp\Cookies\travis [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Local Settings\Temp\Cookies\travis [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Local Settings\Temp\Cookies\travis [email protected][1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Travis Greenwood\Local Settings\Temp\Cookies\travis [email protected][1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Program Files\AdStatus Service -> Adware.WinTaskAd : Cleaned with backup
C:\Program Files\SearchRelevant\SearchRelevant.dll -> Adware.Relevance : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP546\A0040683.exe -> Not-A-Virus.Downloader.Win32.DigStream.a : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\QDow_AS2.dll -> Downloader.QDown.p : Cleaned with backup
C:\WINDOWS\SYSTEM32\MB.dll -> Dropper.Small.so : Cleaned with backup
C:\WINDOWS\SYSTEM32\pajxuorq.mhw -> Trojan.Agent.qe : Cleaned with backup
C:\WINDOWS\SYSTEM32\parad.raw.exe -> Proxy.Lager.at : Cleaned with backup
C:\WINDOWS\SYSTEM32\taskdir.exe -> Proxy.Lager.at : Cleaned with backup
C:\WINDOWS\SYSTEM32\voblaizdupla.exe -> Downloader.Small.ciw : Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__taskdir.dll -> Proxy.Lager.aq : Cleaned with backup


::Report End



HIJACK THIS LOG[u]

Logfile of HijackThis v1.99.1
Scan saved at 12:48:15 PM, on 4/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Common Files\AOL\1128570150\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1128570150\ee\AOLServiceHost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskdir~.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ewido anti-malware\securitysuite.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Travis Greenwood\Application Data\Mozilla\Profiles\default\1ju5e06w.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128570150\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.2.76.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by3fd.bay3.ho...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108659059125
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
  • 0

#7
Tigger93
Posted 01 April 2006 - 07:14 PM

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\taskdir.dll
    C:\WINDOWS\system32\taskdir~.exe
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please post back with a new HiJackThis log then please.

Otherwise, everything else looks clean. :whistling: Are you still having any problems?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP