Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

deskbar and some other stuff [RESOLVED]

Started by WalrusGiraffe , Aug 25 2006 06:53 PM

  • This topic is locked This topic is locked

#16
WalrusGiraffe
Posted 27 August 2006 - 11:01 PM

WalrusGiraffe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:59:40 PM, on 8/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HSMIDI.EXE
C:\Program Files\AIM95\aim.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\yeh\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\oycmw.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,aujqhdk.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MIDI Sound Handler] HSMIDI.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [MIDI Sound Handler] HSMIDI.EXE
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


Everything is a bit better now. My regedit and task manager still cant stay open for more than a second, and im getting popups in firefox and sometimes my firefox closes by itself.

Edited by WalrusGiraffe, 27 August 2006 - 11:12 PM.

  • 0

Advertisements

#17
Ryan
Posted 28 August 2006 - 08:51 AM

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Please download Qoofix by Rubber Ducky to your desktop.
  • Right click on the Qoofix folder, and choose "Extract All". Extract Qoofix to your C: drive
  • Close all windows and programs, including internet windows.
  • Go to C:\Qoofix and open the folder, then double click on Qoofix.exe
  • Click Begin Removal and wait for the scan to finish
  • If Qoofix finds an infection, select yes to restart your computer
  • You will now find a log from this tool, located at C:\Qoofix\Qoofix Logfile.txt Copy and paste the contents of that report into your next reply here.
-Ryan
  • 0

#18
WalrusGiraffe
Posted 28 August 2006 - 05:39 PM

WalrusGiraffe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Qoofix v1.03 by http://www.malwarebytes.org
Scan started on [8/28/2006] at [4:36:34 PM]
-------------------------------------------------------------
Terminated module: fwkiogv.dll found in Qoofix.exe (592)
Terminated module: fwkiogv.dll found in ypliwx.exe (1420)
Terminated module: fwkiogv.dll found in explorer.exe (1440)
Terminated module: fwkiogv.dll found in oycmw.exe (1448)
Terminated module: fwkiogv.dll found in oycmw.exe (1464)
Terminated module: fwkiogv.dll found in oycmw.exe (1472)
Terminated module: fwkiogv.dll found in Steam.exe (212)
Terminated module: fwkiogv.dll found in CursorXP.exe (208)
Terminated module: fwkiogv.dll found in msnmsgr.exe (220)
Terminated module: fwkiogv.dll found in Skype.exe (224)
Terminated module: fwkiogv.dll found in YahooWidgetEngine.exe (288)
Terminated module: fwkiogv.dll found in YahooWidgetEngine.exe (960)
Terminated module: fwkiogv.dll found in YahooWidgetEngine.exe (1100)
Terminated module: fwkiogv.dll found in mpbtn.exe (1140)
Terminated module: fwkiogv.dll found in YahooWidgetEngine.exe (1228)
Terminated module: fwkiogv.dll found in YahooWidgetEngine.exe (1272)
Terminated module: fwkiogv.dll found in YahooWidgetEngine.exe (1320)
Terminated module: fwkiogv.dll found in YahooWidgetEngine.exe (1024)
Terminated module: fwkiogv.dll found in YahooWidgetEngine.exe (1432)
Terminated module: fwkiogv.dll found in YahooWidgetEngine.exe (1576)
Terminated module: fwkiogv.dll found in YahooWidgetEngine.exe (1564)
-------------------------------------------------------------
C:\WINDOWS\system32\aujqhdk.exe will be deleted on reboot!
C:\WINDOWS\system32\enalj.dat will be deleted on reboot!
C:\WINDOWS\system32\fwkiogv.dll will be deleted on reboot!
C:\WINDOWS\system32\oycmw.exe will be deleted on reboot!
C:\WINDOWS\system32\ypliwx.exe will be deleted on reboot!
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\qwwjd.exe will be deleted on reboot!

User prompted YES to reboot, system now rebooting...
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [8/28/2006] at [4:37:32 PM]

Note: Some registry keys may have been removed.
  • 0

#19
Ryan
Posted 28 August 2006 - 07:14 PM

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
You already have ewido, so just skip to the part about updating it.

First download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan along with a new HiJack This log.
-Ryan
  • 0

#20
WalrusGiraffe
Posted 28 August 2006 - 11:48 PM

WalrusGiraffe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:42:13 PM 8/28/2006

+ Scan result:



C:\WINDOWS\Temp\shopbiz.exe -> Adware.MDH : Error during cleaning.
C:\WINDOWS\Temp\A5AC.tmp/cvn0.exe -> Adware.SearchAssistant : Error during cleaning.
C:\WINDOWS\Temp\D5D1.tmp/cvn0.exe -> Adware.SearchAssistant : Error during cleaning.
C:\WINDOWS\Temp\E7A33.tmp/cvn0.exe -> Adware.SearchAssistant : Error during cleaning.
C:\WINDOWS\Temp\F3A1.tmp/cvn0.exe -> Adware.SearchAssistant : Error during cleaning.
C:\WINDOWS\Temp\A5AC.tmp/wfxqhv.exe -> Adware.Suggestor : Error during cleaning.
C:\WINDOWS\Temp\A5AC.tmp/zqskw.exe -> Adware.Suggestor : Error during cleaning.
C:\WINDOWS\Temp\D5D1.tmp/wfxqhv.exe -> Adware.Suggestor : Error during cleaning.
C:\WINDOWS\Temp\D5D1.tmp/zqskw.exe -> Adware.Suggestor : Error during cleaning.
C:\WINDOWS\Temp\E7A33.tmp/wfxqhv.exe -> Adware.Suggestor : Error during cleaning.
C:\WINDOWS\Temp\E7A33.tmp/zqskw.exe -> Adware.Suggestor : Error during cleaning.
C:\WINDOWS\Temp\F3A1.tmp/wfxqhv.exe -> Adware.Suggestor : Error during cleaning.
C:\WINDOWS\Temp\F3A1.tmp/zqskw.exe -> Adware.Suggestor : Error during cleaning.
C:\WINDOWS\Temp\i1C.tmp -> Adware.SurfSide : Error during cleaning.
C:\WINDOWS\Temp\i3C.tmp -> Adware.SurfSide : Error during cleaning.
C:\WINDOWS\Temp\iD.tmp -> Adware.SurfSide : Error during cleaning.
C:\WINDOWS\Temp\iE.tmp -> Adware.SurfSide : Error during cleaning.
C:\WINDOWS\Temp\GLB1F.tmp/empty_00000001 -> Adware.Ucmore : Error during cleaning.
C:\WINDOWS\Temp\GLB20.tmp/empty_00000001 -> Adware.Ucmore : Error during cleaning.
C:\WINDOWS\Temp\GLB26.tmp/empty_00000001 -> Adware.Ucmore : Error during cleaning.
C:\WINDOWS\Temp\GLB4B.tmp/empty_00000001 -> Adware.Ucmore : Error during cleaning.
C:\WINDOWS\Temp\f104453.exe -> Downloader.Qoologic.bj : Error during cleaning.
C:\WINDOWS\Temp\f118187.exe -> Downloader.Qoologic.bj : Error during cleaning.
C:\WINDOWS\Temp\f2822921.exe -> Downloader.Qoologic.bj : Error during cleaning.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla\Firefox\Profiles\o3cunnqh.default\Cache\B23E4567d01 -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
:mozilla.144:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\[email protected][1].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\yeh@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.11:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.6:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.7:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.9:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\yeh@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\yeh@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.146:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
:mozilla.176:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.177:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\yeh@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.159:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\yeh@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\[email protected][1].txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\[email protected][1].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.174:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.175:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.136:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Findwhat : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\yeh@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\[email protected][1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.185:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\yeh@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.84:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.87:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.89:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.91:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.153:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Popularix : Cleaned with backup (quarantined).
:mozilla.37:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.38:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.39:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\yeh@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\[email protected][2].txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.178:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.179:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.180:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.181:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.85:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.86:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.88:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.90:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.92:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.139:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.140:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\yeh@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.76:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.77:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.78:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.79:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.80:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\yeh@targetnet[2].txt -> TrackingCookie.Targetnet : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\[email protected][2].txt -> TrackingCookie.Tracking101 : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\yeh@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.69:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.70:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.71:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.72:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\[email protected][2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.50:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.51:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.53:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.186:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.187:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.188:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\Documents and Settings\yeh\Cookies\yeh@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\WINDOWS\ms047135032-132.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\WINDOWS\system32\HSMidi.exe -> Worm.SpyBot.hd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kazaabackupfiles\101keygen.exe -> Worm.SpyBot.hd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kazaabackupfiles\Adobe-Photoshop.exe -> Worm.SpyBot.hd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kazaabackupfiles\Adobe-Product-Keygen.exe -> Worm.SpyBot.hd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kazaabackupfiles\Emulator.exe -> Worm.SpyBot.hd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kazaabackupfiles\Kaspersky.exe -> Worm.SpyBot.hd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kazaabackupfiles\N64.exe -> Worm.SpyBot.hd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kazaabackupfiles\PS.exe -> Worm.SpyBot.hd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kazaabackupfiles\PS2-Emulator.exe -> Worm.SpyBot.hd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kazaabackupfiles\PS2.exe -> Worm.SpyBot.hd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kazaabackupfiles\SNES.exe -> Worm.SpyBot.hd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kazaabackupfiles\Virus-Scan.exe -> Worm.SpyBot.hd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kazaabackupfiles\Windows XP All Keygen.exe -> Worm.SpyBot.hd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kazaabackupfiles\Windows.exe -> Worm.SpyBot.hd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kazaabackupfiles\XPSP2.exe -> Worm.SpyBot.hd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kazaabackupfiles\Xbox emulator.exe -> Worm.SpyBot.hd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kazaabackupfiles\Xbox rom.exe -> Worm.SpyBot.hd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kazaabackupfiles\Xbox.exe -> Worm.SpyBot.hd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kazaabackupfiles\info.exe -> Worm.SpyBot.hd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kazaabackupfiles\mIRC Keygen.exe -> Worm.SpyBot.hd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kazaabackupfiles\mIRC.exe -> Worm.SpyBot.hd : Cleaned with backup (quarantined).


::Report end



Logfile of HijackThis v1.99.1
Scan saved at 10:47:52 PM, on 8/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM95\aim.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\yeh\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [xhpawv] C:\WINDOWS\system32\ypliwx.exe reg_run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

*end log*
  • 0

#21
Ryan
Posted 29 August 2006 - 11:14 AM

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Download smitRem.exe ©noahdfear, and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).


Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:
===================================================
O4 - HKLM\..\Run: [xhpawv] C:\WINDOWS\system32\ypliwx.exe reg_run
===================================================

Close HiJackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open...click the Check Now button.
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When the download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, and the contents of smitfiles.txt by using Add Reply.

-Ryan
  • 0

#22
WalrusGiraffe
Posted 30 August 2006 - 08:30 PM

WalrusGiraffe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
smitRem © log file
version 3.1

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: Wed 08/30/2006
The current time is: 17:51:52.45

Running from
C:\Documents and Settings\yeh\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key

drsmartload2 key present!



Running drsmartload2 fix!



drsmartload2 key was successfully removed! :whistling:

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

amcompat.tlb
nscompat.tlb
logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 724 'explorer.exe'
Killing PID 724 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :blink:




Incident Status Location

Adware:adware/sqwire Not disinfected c:\windows\system32\tsuninst.exe
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\yeh\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/dollarrevenue Not disinfected c:\windows\drsmartload2.dat
Adware:adware/commad Not disinfected c:\windows\uninstall_nmon.vbs
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/popper Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Adware:adware/cws.aboutblank Not disinfected Windows Registry
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\LocalService\Cookies\system@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\LocalService\Cookies\system@errorsafe[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
Adware:Adware/ActiveSearch Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S1KLMLAB\deskbar[1].exe
Adware:Adware/CommAd Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S1KLMLAB\installer[1].exe
Adware:Adware/Deskwizz Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W50NGTMV\RDFX4[1].exe
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[.advertising.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[data.coremetrics.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[.go.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[stats.drivecleaner.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[.xiti.com/]
Spyware:Cookie/MetriWeb Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[.metriweb.be/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt[.toplist.cz/]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\yeh\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4430eec2-1fc89a8c.zip[Dummy.class]
Virus:Trj/Classloader.G Disinfected C:\Documents and Settings\yeh\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-12053f31-5c9beb47.zip[Beyond.class]
Virus:Trj/Classloader.G Disinfected C:\Documents and Settings\yeh\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-12053f31-5c9beb47.zip[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\yeh\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-12053f31-5c9beb47.zip[Dummy.class]
Virus:Trj/Classloader.G Disinfected C:\Documents and Settings\yeh\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-12053f31-5c9beb47.zip[VerifierBug.class]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\yeh\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-1df854a0.zip[javainstaller/InstallerApplet.class]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\yeh\Cookies\yeh@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\yeh\Cookies\yeh@888[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\yeh\Cookies\yeh@adrevolver[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\yeh\Cookies\yeh@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\yeh\Cookies\yeh@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\yeh\Cookies\yeh@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\yeh\Cookies\yeh@belnk[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\yeh\Cookies\yeh@cassava[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\yeh\Cookies\[email protected][2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\yeh\Cookies\yeh@doubleclick[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\yeh\Cookies\yeh@drivecleaner[2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\yeh\Cookies\yeh@entrepreneur[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\yeh\Cookies\yeh@errorsafe[2].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\yeh\Cookies\yeh@fortunecity[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\yeh\Cookies\yeh@realmedia[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\yeh\Cookies\[email protected][1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\yeh\Cookies\[email protected][2].txt
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\yeh\Cookies\yeh@targetsaver[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\yeh\Cookies\[email protected][2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\yeh\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\yeh\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\yeh\Desktop\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/FileProtec.A Not disinfected C:\WINDOWS\FlyakiteOSX\Tools\wfpdisable.exe
Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\RDFX4.exe
Virus:Trj/Downloader.KCX Disinfected C:\WINDOWS\srvaugtanz.exe
Spyware:Spyware/7r7t Not disinfected C:\WINDOWS\srvhovydbg.exe
Spyware:Spyware/7r7t Not disinfected C:\WINDOWS\srvkyteift.exe
Virus:Trj/Downloader.KCX Disinfected C:\WINDOWS\srvlfqzsin.exe
Virus:Trj/Downloader.KCX Disinfected C:\WINDOWS\srvntvwjsq.exe
Virus:Trj/Downloader.KCX Disinfected C:\WINDOWS\srvoesbqpv.exe
Spyware:Spyware/7r7t Not disinfected C:\WINDOWS\srvwgopkdb.exe
Spyware:Spyware/7r7t Not disinfected C:\WINDOWS\srvwxctbcg.exe
Spyware:Spyware/7r7t Not disinfected C:\WINDOWS\srvyeyqdaf.exe
Potentially unwanted tool:Application/Restart Not disinfected C:\WINDOWS\system32\Tools\Restart.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\WUVIIFhQ\qopKKI1k.vbs



Logfile of HijackThis v1.99.1
Scan saved at 7:30:32 PM, on 8/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\program files\valve\steam\steam.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\yeh\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


my task manager and regedit can stay open now but my flyakite doesnt work anymore

Edited by WalrusGiraffe, 30 August 2006 - 08:44 PM.

  • 0

#23
Ryan
Posted 30 August 2006 - 09:20 PM

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
I'm not sure why flyakite suddenly stopped working; nothing we did should have affected. The only time that it showed up was the panda scan, but nothing was done on it. Once we are all done, you can reinstall it. If you do it before we finish, there is a chance that it could stop working (especially since I don't know why it stopped in the first place).

You will want to print out a copy of these instructions to follow while you complete this procedure, as you will not be able to access the internet later in the fix.

Run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Close ewido, we'll be using it later.

Please open notepad, and copy and paste everything in the code box below into it.

del "c:\windows\system32\tsuninst.exe"
del "C:\Documents and Settings\yeh\Local Settings\Temporary Internet Files\Ssk.log"
del "c:\windows\drsmartload2.dat"
del "c:\windows\uninstall_nmon.vbs"
del "C:\WINDOWS\RDFX4.exe"
del "C:\WINDOWS\srvaugtanz.exe"
del "C:\WINDOWS\srvhovydbg.exe"
del "C:\WINDOWS\srvkyteift.exe"
del "C:\WINDOWS\srvlfqzsin.exe"
del "C:\WINDOWS\srvntvwjsq.exe"
del "C:\WINDOWS\srvoesbqpv.exe"
del "C:\WINDOWS\srvwgopkdb.exe"
del "C:\WINDOWS\srvwxctbcg.exe"
del "C:\WINDOWS\srvyeyqdaf.exe"
del "C:\WINDOWS\WUVIIFhQ\"
del "C:\WINDOWS\system32\xeymi.dll"

Save the file as "begone2.bat" (include the quotes) to your desktop. It should look like a white DOS window with a gear inside.


Open HiJack This, and mark the box next to

O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll

Close all other windows and press Fix Checked


Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Double click on begone2.bat. A black window will open, and then quickly close, this is normal.


Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.
-Ryan
  • 0

#24
WalrusGiraffe
Posted 30 August 2006 - 09:38 PM

WalrusGiraffe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
ATF cleaner?

my flyakite stopped working after running the smitREM thing

Edited by WalrusGiraffe, 30 August 2006 - 09:38 PM.

  • 0

#25
Ryan
Posted 30 August 2006 - 09:42 PM

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Sorry, could have sworn I thought I had you download it earlier...

Please download ATF Cleaner by Atribune.

Do that before you boot into Safe mode, and then follow the rest of the instructions accordingly.

-Ryan

Edited by rmurphy, 30 August 2006 - 09:42 PM.

  • 0

Advertisements

#26
WalrusGiraffe
Posted 30 August 2006 - 11:17 PM

WalrusGiraffe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:08:02 PM 8/30/2006

+ Scan result:



C:\!KillBox\rundll.exe -> Backdoor.SdBot.aqj : Cleaned with backup (quarantined).
:mozilla.124:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.125:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.15:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.16:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.17:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.18:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.19:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.29:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.94:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
:mozilla.53:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.97:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.61:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.62:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.63:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.71:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.103:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.104:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.100:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.101:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.98:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.99:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.68:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.69:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.70:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.72:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.64:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.65:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.66:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.67:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.85:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.102:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.23:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.24:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.25:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.26:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.27:C:\Documents and Settings\yeh\Application Data\Mozilla\Firefox\Profiles\nhakjsvv.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).


::Report end



it looks like everything is working just fine now. thx for all your help :whistling:!
  • 0

#27
Ryan
Posted 30 August 2006 - 11:18 PM

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
please post a new HiJack THis log.

-Ryan
  • 0

#28
WalrusGiraffe
Posted 31 August 2006 - 12:09 AM

WalrusGiraffe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Logfile of HijackThis v1.99.1
Scan saved at 11:09:21 PM, on 8/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM95\aim.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\yeh\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  • 0

#29
Ryan
Posted 31 August 2006 - 06:12 PM

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Congratulations, your log is CLEAN :whistling:

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 2 free ones available for personal use:and a good antivirus (these are also free for personal use):It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visitmonthly. And to keep your system clean run these free malware scannersweekly, and be aware of what emails you open and websites you visit.

We highly recommend installing SP2 (if you haven't already). Click here: http://windowsupdate.microsoft.com/.
-or-
It's a very large download, so if you're on dial-up, order a free CD here:
http://www.microsoft...default810.mspx


To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Do you have any other questions or concerns? This thread will be left open for a few more days, so feel free to ask.

-Ryan
  • 0

#30
WalrusGiraffe
Posted 31 August 2006 - 06:21 PM

WalrusGiraffe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
in my c drive directory theres this sti.txt file that i cant delete. i open it and the text reads:

22:52:32 - Create Log file handle!
22:52:32 - instance = 10000000
22:52:32 - dwReason = 1
22:52:32 - lpReserved=0
22:52:32 - DLLGetClassObject
22:52:32 - DLLRelease,close log file
22:52:32 - pDevName = 947e4022:52:32 - Enter GetCapabilities!!

22:52:32 - Enterring SetNotificationHandle
22:52:32 - SetDeviceEvent pDevName
22:52:32 - this is SetDeviceEvent
22:52:32 - CreateBindCtx ok

22:52:32 - Parse OK

22:52:32 - Bind OK

22:52:32 - KsOBJHandle OK!

22:52:32 - Open Device OK with Symbolinkname
22:52:32 - Event != NULL
22:52:32 - Enter Thread Cleanup!

22:52:32 - Enable notification monitoring OK


should that be of any concern?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP