Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Minor Malware Infection


  • Please log in to reply

#1
Killbomb

Killbomb

    Member

  • Member
  • PipPip
  • 28 posts
Hello again. Time for my semi-annual visit to get rid of the malware I've accumulated. Guess I'll never learn... :whistling:

The problem I'm having is that requests for cookies will show up when I am not browsing and this causes any program I'm running to minimize itself. If I block cookies in IE, I won't see the request message but the program will still minimize. I'm not getting any random pop-up ads but when I try to use Google to search in IE, I get taken to a page other than the one I intended to go to when I click a link. Here's the HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 6:51:39 PM, on 12/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Windows Media Connect 2\wmccds.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebgames.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_1/home.html"); (C:\Documents and Settings\Killbomb\Application Data\Mozilla\Profiles\default\wgpv4y1s.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Killbomb\Application Data\Mozilla\Profiles\default\wgpv4y1s.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DittoSideBar - {2E4136F6-A927-4337-8178-B7EBC309EFC4} - C:\Program Files\DittoSideBar\Dsb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [dmqbj.exe] C:\WINDOWS\system32\dmqbj.exe
O4 - HKLM\..\RunOnce: [My Global Search Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay11...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123560657765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123560650937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{103F6B92-3126-4889-94C5-D5DE68B83434}: NameServer = 85.255.116.149,85.255.112.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{51639E2A-F45D-40F1-AB95-CDC90769C85A}: NameServer = 85.255.116.149,85.255.112.14
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.149 85.255.112.14
O17 - HKLM\System\CS2\Services\Tcpip\..\{103F6B92-3126-4889-94C5-D5DE68B83434}: NameServer = 85.255.116.149,85.255.112.14
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.149 85.255.112.14
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
  • 0

Advertisements


#2
MFDnSC

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
Get the current version of Ewido - Now AVG AS 7.5

http://www.ewido.net/en/download/

=================================

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout

http://downloads.sub.../Fixwareout.exe
or
http://swandog46.gee.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, Hijack This will launch.
Fix these with HJT – mark them, close IE, click fix checked

O17 - HKLM\System\CCS\Services\Tcpip\..\{103F6B92-3126-4889-94C5-D5DE68B83434}: NameServer = 85.255.116.149,85.255.112.14

O17 - HKLM\System\CCS\Services\Tcpip\..\{51639E2A-F45D-40F1-AB95-CDC90769C85A}: NameServer = 85.255.116.149,85.255.112.14

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.149 85.255.112.14

O17 - HKLM\System\CS2\Services\Tcpip\..\{103F6B92-3126-4889-94C5-D5DE68B83434}: NameServer = 85.255.116.149,85.255.112.14

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.149 85.255.112.14



If you have connection problems after this

* Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .
· Double-click the Network Connections icon
· Right-click the Local Area Connection icon and select Properties.
· Hilight Internet Protocol (TCP/IP) and click the Properties button.
· Be sure Obtain DNS server address automatically is selected.
· OK your way out.

* Go to Start > Run and type in cmd
· Click OK.
· This will open a commad prompt.
· Type or copy and paste the following line in the command window:

ipconfig /flushdns
· Hit Enter
· Exit the command window

Do that before you restart.

=============
At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new Hijack This log.

==================================
If you get an Autoexec nt error do the following

XP Fix - http://www.visualtour.com/downloads/

Scroll down to get XP Fix

And run FixWareout again.
  • 0

#3
Killbomb

Killbomb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Thanks for the help and quick reply. Here's the fixware log...


Fixwareout
Last edited 12/06/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1813057AF5AC-4E7B-8AA4-6672-D0BD0A50{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}67CED3AD4F13-851A-E8C4-F4FA-71DD007F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\jbqmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1trap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\2trap
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmqbj.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSNSK.EXE 51,715 2006-09-17
C:\WINDOWS\SYSTEM32\DMQBJ.EXE 62,049 2004-08-04

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.
  • 0

#4
Killbomb

Killbomb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
And here's the new HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 7:50:17 PM, on 12/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\hjt\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_1/home.html"); (C:\Documents and Settings\Killbomb\Application Data\Mozilla\Profiles\default\wgpv4y1s.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Killbomb\Application Data\Mozilla\Profiles\default\wgpv4y1s.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DittoSideBar - {2E4136F6-A927-4337-8178-B7EBC309EFC4} - C:\Program Files\DittoSideBar\Dsb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay11...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123560657765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123560650937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  • 0

#5
MFDnSC

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
You did not get the new version of Ewido!

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O2 - BHO: DittoSideBar - {2E4136F6-A927-4337-8178-B7EBC309EFC4} - C:\Program Files\DittoSideBar\Dsb.dll (file missing)

DownLoad http://www.downloads...org/KillBox.zip or
http://www.thespykil...les/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\SYSTEM32\CSNSK.EXE
C:\WINDOWS\SYSTEM32\DMQBJ.EXE

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
  • 0

#6
Killbomb

Killbomb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hehe...I actually downloaded the new Ewido but forgot to install it. :whistling: Anyway, nothing unusual happening right now. Haven't seen any random cookie requests but it sometimes can be a while between appearances. I haven't tried to run a program since we started the fixes so I don't know if the minimizing problem is gone or not. Here is the new HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 8:32:50 PM, on 12/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Program Files\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_1/home.html"); (C:\Documents and Settings\Killbomb\Application Data\Mozilla\Profiles\default\wgpv4y1s.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Killbomb\Application Data\Mozilla\Profiles\default\wgpv4y1s.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay11...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123560657765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123560650937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


EDIT: I tried running a game and it minimized on its own again twice within 5 minutes. Once without a cookie request and once with one. Also, when I am typing my replies, sometime the window will "go gray" as if I clicked on the bottom taskbar. I have been experiencing this for a while as well, just forgot to mention it originally.

2nd EDIT: Sorry for all the edits but I thought I should get it in here before you replied. Anyway, I turned off the IE pop-up blocker to see what would happen and lo and behold, the pop-ups showed their ugly faces. This might be worse than I originally thought...

Edited by Killbomb, 06 December 2006 - 09:22 PM.

  • 0

#7
MFDnSC

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.c...s...4129&ac=tsg

(It's a 2 week trial.)

* Click the Try Spy Sweeper for FreeDownload the trial link.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.

Also post a new Hijack This log.
  • 0

#8
Killbomb

Killbomb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Here's the Spysweeper log...

5:47 PM: | End of Session, Thursday, December 07, 2006 |
5:43 PM: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
5:43 PM: Your spyware definitions have been updated.
5:42 PM: The Internet Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
5:41 PM: The Internet Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
5:41 PM: The Internet Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
5:41 PM: The Internet Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
Keylogger: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
5:39 PM: Shield States
5:39 PM: Warning: Virus definitions files are invalid, please update your virus definitions. 220
5:39 PM: Spyware Definitions: 804
5:39 PM: Spy Sweeper 5.2.3.2132 started
5:39 PM: Spy Sweeper 5.2.3.2132 started
5:39 PM: | Start of Session, Thursday, December 07, 2006 |
********
8:09 PM: Removal process completed. Elapsed time 00:00:47
8:09 PM: Preparing to restart your computer. Please wait...
8:08 PM: Quarantining All Traces: 180search assistant/zango
8:08 PM: Quarantining All Traces: seekmo search assistant
8:08 PM: Quarantining All Traces: xren_cj cookie
8:08 PM: Quarantining All Traces: gamespy cookie
8:08 PM: Quarantining All Traces: go.com cookie
8:08 PM: Quarantining All Traces: adknowledge cookie
8:08 PM: Quarantining All Traces: about cookie
8:08 PM: c:\program files\messenger\saqymyh.html is in use. It will be removed on reboot.
8:08 PM: c:\program files\windows media player\visep.html is in use. It will be removed on reboot.
8:08 PM: deskwizz is in use. It will be removed on reboot.
8:08 PM: Quarantining All Traces: deskwizz
8:08 PM: Quarantining All Traces: mirar webband
8:08 PM: Quarantining All Traces: drsnsrch.com hijack
8:08 PM: Quarantining All Traces: engage sidebar
8:08 PM: Quarantining All Traces: zquest
8:08 PM: Quarantining All Traces: trojan-dropper-joiner
8:08 PM: Quarantining All Traces: surfsidekick
8:08 PM: Quarantining All Traces: trojan-dropper-mendoza
8:08 PM: Quarantining All Traces: trojan-downloader-basebar
8:08 PM: Quarantining All Traces: bookedspace
8:08 PM: Quarantining All Traces: zenosearchassistant
8:08 PM: Quarantining All Traces: purityscan
8:08 PM: Quarantining All Traces: trojan-downloader-iframecash.biz
8:08 PM: Quarantining All Traces: fullcontext
8:08 PM: Quarantining All Traces: trojan-downloader-zlob
8:08 PM: Quarantining All Traces: icannnews
8:08 PM: Removal process initiated
8:06 PM: Traces Found: 80
8:06 PM: Custom Sweep has completed. Elapsed time 02:18:11
8:06 PM: File Sweep Complete, Elapsed Time: 02:16:31
8:05 PM: C:\Documents and Settings\Killbomb\Start Menu\Programs\HQ Codec\Uninstall.lnk (1 subtraces) (ID = 2147528296)
8:01 PM: The Internet Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
8:01 PM: The Internet Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
8:01 PM: The Internet Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
8:01 PM: The Internet Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:46 PM: Warning: Unable to sweep compressed file: "c:\program files\vid_0e8fpid_0003\data1.cab": File not found
7:46 PM: Warning: Unable to sweep compressed file: External exception C0000006
7:44 PM: Warning: Stream read error
7:41 PM: The Internet Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:41 PM: The Internet Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
7:41 PM: The Internet Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:41 PM: The Internet Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
7:31 PM: Warning: Unable to sweep compressed file: External exception C0000006
7:30 PM: Warning: Unable to sweep compressed file: External exception C0000006
7:30 PM: Warning: Unable to sweep compressed file: External exception C0000006
7:21 PM: The Internet Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
7:21 PM: The Internet Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
7:21 PM: The Internet Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:21 PM: The Internet Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:04 PM: C:\Program Files\Netscape\Netscape\components\npclntax.xpt (ID = 146238)
7:04 PM: Found Adware: 180search assistant/zango
7:03 PM: C:\WINDOWS\system32\msnav32.ax (ID = 220229)
7:01 PM: The Internet Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
7:01 PM: The Internet Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
7:01 PM: The Internet Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:01 PM: The Internet Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:00 PM: C:\Documents and Settings\Killbomb\Application Data\Sskcwrd.dll (ID = 77712)
6:59 PM: Warning: PerformFileOffsetMatch Failed to check file "c:\program files\vid_0e8f&pid_0003\setup.exe". "c:\program files\vid_0e8fpid_0003\setup.exe": File not found
6:59 PM: C:\WINDOWS\system32\nt68rrtc12.sys (ID = 220230)
6:59 PM: Found Adware: zenosearchassistant
6:59 PM: Warning: Failed to open file "c:\documents and settings\killbomb\application data\mozilla\firefox\profiles\4vrvhtu6.default\parent.lock". The operation completed successfully
6:41 PM: The Internet Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
6:41 PM: The Internet Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
6:41 PM: The Internet Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
6:41 PM: The Internet Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
6:40 PM: Warning: Failed to read file "c:\program files\vivendi universal games\the simpsons hit run\art\frontend\scrooby2\bootup.p3d". Data error (cyclic redundancy check)
6:36 PM: c:\program files\?ecurity\n?lookup.exe (ID = 450)
6:36 PM: Found Adware: purityscan
6:35 PM: HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run || PSHope (ID = 0)
6:35 PM: C:\Program Files\PSHope\PSHope.exe (ID = 319341)
6:35 PM: C:\!KillBox\user32.exe( 2) (ID = 430)
6:35 PM: C:\Program Files\Netscape\Netscape\plugins\npclntax.dll (ID = 311129)
6:35 PM: Found Adware: seekmo search assistant
6:35 PM: C:\!KillBox\user32.exe (ID = 430)
6:35 PM: Found Trojan Horse: trojan-downloader-iframecash.biz
6:32 PM: C:\Program Files\Messenger\saqymyh.html (ID = 310472)
6:32 PM: C:\Program Files\Windows Media Player\visep.html (ID = 323861)
6:32 PM: Found Adware: deskwizz
6:30 PM: C:\hjt\backups\backup-20060626-210743-321.dll (ID = 294098)
6:29 PM: C:\!KillBox\VSL02.exe (ID = 290920)
6:29 PM: Found Adware: zquest
6:29 PM: C:\!KillBox\VSL05.exe (ID = 299775)
6:29 PM: Found Trojan Horse: trojan-dropper-joiner
6:26 PM: C:\!KillBox\lt.exe (ID = 319946)
6:25 PM: Warning: Failed to read file "c:\program files\geneforge 2\data\scripts\z11smarsh.txt". Data error (cyclic redundancy check)
6:24 PM: C:\Documents and Settings\Killbomb\Application Data\Sskknwrd.dll (ID = 77733)
6:24 PM: Found Adware: surfsidekick
6:21 PM: Warning: Failed to read file "c:\program files\kalonline\map\tomb7\tex\d02_pat_07.gtx". Data error (cyclic redundancy check)
6:21 PM: The Internet Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
6:21 PM: The Internet Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
6:21 PM: The Internet Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
6:21 PM: The Internet Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
6:20 PM: C:\!KillBox\Mendoza1.exe (ID = 318893)
6:20 PM: Found Trojan Horse: trojan-dropper-mendoza
6:18 PM: Warning: Failed to read file "c:\documents and settings\killbomb\application data\real\realone player\history\nixflix.com presents- the mostly-daily site blogger.lnk". Data error (cyclic redundancy check)
6:18 PM: C:\System Volume Information\_restore{77300b5a-1c75-4ba0-96c1-0f7c2721f979}\RP1003\A0230452.exe (ID = 319960)
6:18 PM: Found Adware: mirar webband
6:17 PM: C:\System Volume Information\_restore{77300b5a-1c75-4ba0-96c1-0f7c2721f979}\RP1003\A0230454.exe (ID = 301842)
6:14 PM: Warning: Failed to read file "c:\program files\firaxis games\sid meier's civilization 4 demo\assets\python\system\wx\html.pyc". Data error (cyclic redundancy check)
6:14 PM: C:\!KillBox\ssqbn.exe (ID = 323511)
6:14 PM: Found Trojan Horse: trojan-downloader-basebar
6:13 PM: Warning: Could not scan c:\windows\microsoft.net\framework\v2.0.50727\microsoft.jscript.tlb with file offset match. Error: External exception C0000006
6:13 PM: C:\!KillBox\srvhirwxjg.exe (ID = 303274)
6:12 PM: Warning: PerformFileOffsetMatch Failed to check file "c:\program files\vid_0e8f&pid_0003\_setup.dll". "c:\program files\vid_0e8fpid_0003\_setup.dll": File not found
6:12 PM: Warning: Failed to read file "c:\windows\$ntservicepackuninstall$\arialbd.ttf". Data error (cyclic redundancy check)
6:11 PM: Warning: Failed to read file "c:\program files\mdickie\wrestling mpire demo\items\weapons\belt.3ds". Data error (cyclic redundancy check)
6:11 PM: Warning: Could not scan c:\vundofix\vundofix\unzip.exe with file offset match. Error: External exception C0000006
6:11 PM: Warning: Failed to read file "c:\documents and settings\killbomb\my documents\my games\dungeon siege 2\save\prefs.gas". Data error (cyclic redundancy check)
6:10 PM: Warning: Failed to read file "c:\program files\ea sports\tiger woods pga tour 2004\sounds\commentary\f_2k4_if81_04_a.mp3". Data error (cyclic redundancy check)
6:06 PM: C:\Program Files\PSHope (2 subtraces) (ID = 2147523606)
6:06 PM: C:\Program Files\HQ Codec (1 subtraces) (ID = 2147528296)
6:06 PM: C:\WINDOWS\zAbstract (4 subtraces) (ID = 2147518024)
6:06 PM: Found Adware: bookedspace
6:06 PM: C:\Documents and Settings\Killbomb\Start Menu\Programs\HQ Codec (1 subtraces) (ID = 2147531231)
6:05 PM: Warning: DDA Failure, error reading MFT: 401611. of: 498832. Fragments: 850. TVolumeNtNTFS.Read failed 1: Read starts at: 0xCFACA3C00 Len :0x400
6:05 PM: Warning: DDA Failure, error reading MFT: 401610. of: 498832. Fragments: 850. TVolumeNtNTFS.Read failed 1: Read starts at: 0xCFACA3800 Len :0x400
6:05 PM: Warning: DDA Failure, error reading MFT: 401609. of: 498832. Fragments: 850. TVolumeNtNTFS.Read failed 1: Read starts at: 0xCFACA3400 Len :0x400
6:04 PM: Warning: DDA Failure, error reading MFT: 401608. of: 498832. Fragments: 850. TVolumeNtNTFS.Read failed 1: Read starts at: 0xCFACA3000 Len :0x400
6:02 PM: Warning: DDA Failure, error reading MFT: 360767. of: 498832. Fragments: 850. TVolumeNtNTFS.Read failed 1: Read starts at: 0x20092FC00 Len :0x400
6:02 PM: Warning: DDA Failure, error reading MFT: 360766. of: 498832. Fragments: 850. TVolumeNtNTFS.Read failed 1: Read starts at: 0x20092F800 Len :0x400
6:01 PM: The Internet Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
6:01 PM: The Internet Communication shield has blocked access to: MEDIA.TOP-BANNERS.COM
6:01 PM: The Internet Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
6:01 PM: The Internet Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
6:01 PM: Warning: DDA Failure, error reading MFT: 360765. of: 498832. Fragments: 850. TVolumeNtNTFS.Read failed 1: Read starts at: 0x20092F400 Len :0x400
6:00 PM: Warning: DDA Failure, error reading MFT: 347836. of: 498832. Fragments: 850. TVolumeNtNTFS.Read failed 1: Read starts at: 0x2189F2000 Len :0x400
5:57 PM: Warning: DDA Failure, error reading MFT: 339589. of: 498832. Fragments: 850. TVolumeNtNTFS.Read failed 1: Read starts at: 0x1FA239400 Len :0x400
5:56 PM: Warning: DDA Failure, error reading MFT: 339450. of: 498832. Fragments: 850. TVolumeNtNTFS.Read failed 1: Read starts at: 0x1FA216800 Len :0x400
5:55 PM: Warning: DDA Failure, error reading MFT: 339449. of: 498832. Fragments: 850. TVolumeNtNTFS.Read failed 1: Read starts at: 0x1FA216400 Len :0x400
5:55 PM: Warning: DDA Failure, error reading MFT: 339448. of: 498832. Fragments: 850. TVolumeNtNTFS.Read failed 1: Read starts at: 0x1FA216000 Len :0x400
5:53 PM: Warning: DDA Failure, error reading MFT: 332868. of: 498832. Fragments: 850. TVolumeNtNTFS.Read failed 1: Read starts at: 0x27BD78000 Len :0x400
5:49 PM: Starting File Sweep
5:49 PM: Warning: Failed to access drive A:
5:49 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected]_cj[3].txt (ID = 3723)
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected]_cj[2].txt (ID = 3723)
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected]_cj[1].txt (ID = 3723)
5:49 PM: Found Spy Cookie: xren_cj cookie
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected][2].txt (ID = 2719)
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected][2].txt (ID = 2719)
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected][1].txt (ID = 2719)
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected][2].txt (ID = 2719)
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected][1].txt (ID = 2038)
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected][2].txt (ID = 2729)
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected][2].txt (ID = 2719)
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected][1].txt (ID = 2038)
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected][1].txt (ID = 2729)
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected][1].txt (ID = 2719)
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected][2].txt (ID = 2719)
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected][1].txt (ID = 2038)
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected][1].txt (ID = 2719)
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected][2].txt (ID = 2719)
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected][1].txt (ID = 2728)
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected][2].txt (ID = 2719)
5:49 PM: Found Spy Cookie: gamespy cookie
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected][1].txt (ID = 2729)
5:49 PM: Found Spy Cookie: go.com cookie
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected][2].txt (ID = 2072)
5:49 PM: Found Spy Cookie: adknowledge cookie
5:49 PM: c:\documents and settings\killbomb\cookies\[email protected][1].txt (ID = 2037)
5:49 PM: Found Spy Cookie: about cookie
5:49 PM: Starting Cookie Sweep
5:49 PM: Registry Sweep Complete, Elapsed Time:00:00:20
5:49 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || pshope (ID = 1526036)
5:49 PM: HKU\S-1-5-18\software\pshope\ (ID = 1526026)
5:49 PM: HKU\S-1-5-18\software\pecarlin\ (ID = 1344833)
5:49 PM: Found Adware: fullcontext
5:49 PM: HKU\S-1-5-21-1409082233-1767777339-725345543-1004\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
5:49 PM: Found Adware: drsnsrch.com hijack
5:49 PM: HKLM\software\classes\appid\{a2b24a8e-c615-4be8-b33e-1803306422c2}\ (ID = 1628542)
5:49 PM: HKLM\software\classes\appid\dittosidebar.dll\ (ID = 1628540)
5:49 PM: HKCR\appid\{a2b24a8e-c615-4be8-b33e-1803306422c2}\ (ID = 1628419)
5:49 PM: HKCR\appid\dittosidebar.dll\ (ID = 1628417)
5:49 PM: HKLM\software\classes\hqcodec\ (ID = 1614023)
5:49 PM: HKCR\hqcodec\ (ID = 1613985)
5:49 PM: Found Trojan Horse: trojan-downloader-zlob
5:49 PM: HKLM\software\classes\typelib\{e3c9bd06-00f5-47b0-adac-9437c0b26270}\ (ID = 1526603)
5:49 PM: HKLM\software\classes\effectivebar.effbarbho.1\ (ID = 1526599)
5:49 PM: HKLM\software\classes\effectivebar.effbarbho\ (ID = 1526593)
5:49 PM: HKCR\typelib\{e3c9bd06-00f5-47b0-adac-9437c0b26270}\ (ID = 1526551)
5:49 PM: HKCR\effectivebar.effbarbho.1\ (ID = 1526547)
5:49 PM: HKCR\effectivebar.effbarbho\ (ID = 1526541)
5:49 PM: Found Adware: engage sidebar
5:49 PM: HKLM\software\classes\typelib\{ee5ac3d6-6f43-4047-af0a-d66fc2cf8f42}\ (ID = 169463)
5:49 PM: HKLM\software\classes\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (ID = 169462)
5:49 PM: HKLM\software\classes\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (ID = 169461)
5:49 PM: HKCR\typelib\{ee5ac3d6-6f43-4047-af0a-d66fc2cf8f42}\ (ID = 169456)
5:49 PM: HKCR\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (ID = 169455)
5:49 PM: HKCR\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (ID = 169454)
5:49 PM: Found Adware: icannnews
5:49 PM: Starting Registry Sweep
5:49 PM: Memory Sweep Complete, Elapsed Time: 00:01:21
5:47 PM: Starting Memory Sweep
5:47 PM: Start Custom Sweep
5:47 PM: Sweep initiated using definitions version 817
5:47 PM: Spy Sweeper 5.2.3.2132 started
5:47 PM: | Start of Session, Thursday, December 07, 2006 |
********
  • 0

#9
Killbomb

Killbomb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
And the HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 8:23:50 PM, on 12/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_1/home.html"); (C:\Documents and Settings\Killbomb\Application Data\Mozilla\Profiles\default\wgpv4y1s.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Killbomb\Application Data\Mozilla\Profiles\default\wgpv4y1s.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay11...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123560657765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123560650937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
  • 0

#10
Killbomb

Killbomb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
As an added note, I just played a game for about an hour and a half with no minimizations and I haven't seen any cookie requests since running Spysweeper. Looking good so far...
  • 0

#11
MFDnSC

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
Clean Posted Image

Turn off restore points, boot, turn them back on – here’s how

http://service1.syma...src=sec_doc_nam
  • 0

#12
Killbomb

Killbomb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Everything's still looking good. I played World of Warcraft for several hours last night with no problems. Do you think Spysweeper is keeping the malware at bay or did it completely get rid of it?

Anyway, thanks for the help. This site and all you guys are a godsend. :whistling:
  • 0

#13
MFDnSC

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
It removed a lot of stuff
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP