Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spyware Problem [RESOLVED]


  • This topic is locked This topic is locked

#1
slade_32

slade_32

    Member

  • Member
  • PipPip
  • 21 posts
I'm using an IBM ThinkPad running Windows 2000 Professional. I'm getting many pop-ups advertising spyware detection programs and stating that my PC is infected. I'm also having problems using search engines (Yahoo, Google) - if I do a search and click on a link, I'm redirected to random sites. I've been through the suggested beginning steps and although they have helped, I'm still having problems. Following my Hijack This log is my SUPERAntispyware scan log and active scan log. Please help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:51 PM, on 2/1/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4serv.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8EDB0DC7-ECDF-4E5B-A55C-FA0BEECC6DC0} - C:\WINNT\system32\deskad.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {37625982-645F-4516-8FA4-0EC7EA55AA5B} (CorasWorks My Workplace for Outlook - My Outlook) - https://cent.co-act....0ebcd7/MOLC.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D563DEC-33CD-4E5E-B174-8BF9C740CF10}: NameServer = 85.255.114.11,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A849A83-D3B4-43DF-8C9C-ECDB8417D140}: NameServer = 85.255.114.11,85.255.112.73
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D563DEC-33CD-4E5E-B174-8BF9C740CF10}: NameServer = 85.255.114.11,85.255.112.73
O17 - HKLM\System\CS2\Services\Tcpip\..\{1D563DEC-33CD-4E5E-B174-8BF9C740CF10}: NameServer = 85.255.114.11,85.255.112.73
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 4507 bytes
------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/31/2008 at 08:28 PM

Application Version : 3.9.1008

Core Rules Database Version : 3392
Trace Rules Database Version: 1384

Scan type : Complete Scan
Total Scan Time : 02:10:20

Memory items scanned : 253
Memory threats detected : 0
Registry items scanned : 3953
Registry threats detected : 12
File items scanned : 32832
File threats detected : 135

Parasite.WareOut
HKLM\Software\Classes\CLSID\{46639D99-7D26-7374-728A-4F6DBA585E76}
HKCR\CLSID\{46639D99-7D26-7374-728A-4F6DBA585E76}
HKCR\CLSID\{46639D99-7D26-7374-728A-4F6DBA585E76}\InprocServer32
PANEL_ITS.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Laptop\Cookies\[email protected][2].txt
C:\Documents and Settings\Laptop\Cookies\[email protected][1].txt
C:\Documents and Settings\Laptop\Cookies\[email protected][1].txt
C:\Documents and Settings\Laptop\Cookies\[email protected][1].txt
C:\Documents and Settings\Laptop\Cookies\[email protected][2].txt
C:\Documents and Settings\Laptop\Cookies\[email protected][2].txt
C:\Documents and Settings\Laptop\Cookies\[email protected][2].txt
C:\Documents and Settings\Laptop\Cookies\[email protected][1].txt
C:\Documents and Settings\Laptop\Cookies\[email protected][2].txt
C:\Documents and Settings\Laptop\Cookies\[email protected][1].txt

Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

Browser Hijacker.Favorites
C:\Documents and Settings\Laptop\Favorites\Download Free Spyware Remover.url
C:\Documents and Settings\All Users\Favorites\Download Free Spyware Remover.url
C:\Documents and Settings\Laptop\Favorites\NEW VIAGRA at Half Price!.url
C:\Documents and Settings\All Users\Favorites\NEW VIAGRA at Half Price!.url
C:\Documents and Settings\Laptop\Favorites\Online Chat With Nude Girls.url
C:\Documents and Settings\All Users\Favorites\Online Chat With Nude Girls.url
C:\Documents and Settings\Laptop\Favorites\Order CIALIS online without leaving home..url
C:\Documents and Settings\All Users\Favorites\Order CIALIS online without leaving home..url
C:\Documents and Settings\Laptop\Favorites\PC protection in under 2 minutes!.url
C:\Documents and Settings\All Users\Favorites\PC protection in under 2 minutes!.url
C:\Documents and Settings\Laptop\Favorites\SEX Dating - Real Girls For Real SEX.url
C:\Documents and Settings\All Users\Favorites\SEX Dating - Real Girls For Real SEX.url
C:\Documents and Settings\Laptop\Favorites\Stop PopUps On Your Computer.url
C:\Documents and Settings\All Users\Favorites\Stop PopUps On Your Computer.url
C:\Documents and Settings\Laptop\Favorites\VIAGRA at incredible low price. Bonus Pills!.url
C:\Documents and Settings\All Users\Favorites\VIAGRA at incredible low price. Bonus Pills!.url
C:\Documents and Settings\Laptop\Favorites\View ADULT photos of REAL GIRLS!.url
C:\Documents and Settings\All Users\Favorites\View ADULT photos of REAL GIRLS!.url
C:\Documents and Settings\All Users\Favorites\Online Pharmacy\CHEAPEST VIAGRA ONLINE.url
C:\Documents and Settings\All Users\Favorites\Online Pharmacy\Cialis at HALF PRICE!.url
C:\Documents and Settings\All Users\Favorites\Online Pharmacy\Fast Way To Loose Your Weight!.url
C:\Documents and Settings\All Users\Favorites\Online Pharmacy\Guaranteed low price at Pills..url
C:\Documents and Settings\All Users\Favorites\Online Pharmacy\SOMA at Special LOW PRICE.url
C:\Documents and Settings\All Users\Favorites\Online Pharmacy\Tramadol Special Offer!.url
C:\Documents and Settings\All Users\Favorites\Online Pharmacy\Try New VIAGRA! Works Faster and Longer!.url
C:\Documents and Settings\All Users\Favorites\Online Pharmacy
C:\Documents and Settings\Laptop\Favorites\Sex and Dating\Meet Girls Who Want To Get Laid!.url
C:\Documents and Settings\Laptop\Favorites\Sex and Dating\Meet Horny Girls In Your Area!.url
C:\Documents and Settings\Laptop\Favorites\Sex and Dating\Read profiles and Chat With Nude Girls!.url
C:\Documents and Settings\Laptop\Favorites\Sex and Dating\SEX Dating - people looking for SEX.url
C:\Documents and Settings\Laptop\Favorites\Sex and Dating\View XXX photos of Real Sexy Girls..url
C:\Documents and Settings\Laptop\Favorites\Sex and Dating
C:\Documents and Settings\All Users\Favorites\Sex and Dating\Meet Girls Who Want To Get Laid!.url
C:\Documents and Settings\All Users\Favorites\Sex and Dating\Meet Horny Girls In Your Area!.url
C:\Documents and Settings\All Users\Favorites\Sex and Dating\Read profiles and Chat With Nude Girls!.url
C:\Documents and Settings\All Users\Favorites\Sex and Dating\SEX Dating - people looking for SEX.url
C:\Documents and Settings\All Users\Favorites\Sex and Dating\View XXX photos of Real Sexy Girls..url
C:\Documents and Settings\All Users\Favorites\Sex and Dating
C:\Documents and Settings\Laptop\Favorites\Spyware Uninstall\Easy Detect and Uninstall Spyware..url
C:\Documents and Settings\Laptop\Favorites\Spyware Uninstall\Free Spyware Scanner..url
C:\Documents and Settings\Laptop\Favorites\Spyware Uninstall\Search & Destroy Annoying Adware..url
C:\Documents and Settings\Laptop\Favorites\Spyware Uninstall\Stop PopUps on your PC..url
C:\Documents and Settings\Laptop\Favorites\Spyware Uninstall
C:\Documents and Settings\All Users\Favorites\Spyware Uninstall\Easy Detect and Uninstall Spyware..url
C:\Documents and Settings\All Users\Favorites\Spyware Uninstall\Free Spyware Scanner..url
C:\Documents and Settings\All Users\Favorites\Spyware Uninstall\Search & Destroy Annoying Adware..url
C:\Documents and Settings\All Users\Favorites\Spyware Uninstall\Stop PopUps on your PC..url
C:\Documents and Settings\All Users\Favorites\Spyware Uninstall

Malware.SpyMarshal
C:\Program Files\SpyMarshal\SpyMarshal.lic
C:\Program Files\SpyMarshal

Trace.Known Threat Sources
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\MRSRYDW7\CA1GNE3B.php
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\MVMFQPQR\CAOPILB8.
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\MVMFQPQR\2682kipgbuck[1].exe
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\MVMFQPQR\i53b_icon5[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\CHIJO9QV\i53b_btn-home[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\CHIJO9QV\i53b_btn-overview[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\KHI3G56Z\i53b_icon3[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\8DEVWT2F\i53b_brd-top-1[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\SHE7OX2Z\crypt[2].htm
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\CHIJO9QV\i53b_brd-bot-1[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\KHI3G56Z\i53b_boton4[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\KHI3G56Z\i53b_line3[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\KHI3G56Z\i53b_icon1[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\MVMFQPQR\i53b_btn-download[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\SJJ7AS1T\i88_log[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\MVMFQPQR\2682bgmyeckt[1].htm
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\8DEVWT2F\i53b_btn-updates[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\SHE7OX2Z\errorhandler[1].htm
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\8DEVWT2F\i53b_btn-features[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\MVMFQPQR\i53b_t1[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\KHI3G56Z\i53b_line2[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\SHE7OX2Z\errorhandler[2].htm
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\MVMFQPQR\i53b_boton2[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\MVMFQPQR\i53b_btn-purchase[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\BJTFBPG8\i88_top[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\BJTFBPG8\i88_k2[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\8DEVWT2F\i53b_bg1[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\VQK37P05\i88_fon[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\BJTFBPG8\i88_r2[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\SJJ7AS1T\i88_boot[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\VQK37P05\CAWP6912.
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\BJTFBPG8\i88_r3[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\STM7S1YZ\crypt[1].htm
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\S12F0LYN\managers[2].js
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\STM7S1YZ\i35_no_flash[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\STM7S1YZ\i35_my_03[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\SHE7OX2Z\index[1].php
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\S12F0LYN\i89_boot[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\S12F0LYN\CA6FM3E1.
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\STM7S1YZ\i35_fon2[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\STM7S1YZ\i35_malt[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\S12F0LYN\i35_txtop[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\SHE7OX2Z\i35_my_01[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\SHE7OX2Z\i35_bot5[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\S12F0LYN\i35_bot6[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\SHE7OX2Z\i35_bot3[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\STM7S1YZ\index[3].htm
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\SHE7OX2Z\i89_anim[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\S12F0LYN\i44_boton[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\S12F0LYN\i35_fon1[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\SHE7OX2Z\i89_str[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\STM7S1YZ\i44_lintb[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\S12F0LYN\i89_im[1].jpg
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\S12F0LYN\i89_zn[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\S12F0LYN\autoresize[1].htm
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\STM7S1YZ\i44_u1[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\STM7S1YZ\i44_f3[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\STM7S1YZ\i89_boton[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\STM7S1YZ\i44_fonflash[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\S12F0LYN\i44_ug2[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\S12F0LYN\i44_ic2[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\STM7S1YZ\i44_ug3[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\S12F0LYN\CACPYJGN.php
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\SHE7OX2Z\i35_botfin3[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\SHE7OX2Z\i44_ug1[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\STM7S1YZ\CAE7SPAH.php
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\STM7S1YZ\index[1].php
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\SHE7OX2Z\i44_f2[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\S12F0LYN\i44_lin[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\STM7S1YZ\i44_ic4[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\MRSRYDW7\index[1].php
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\SHE7OX2Z\i44_ic1[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\SHE7OX2Z\i44_ic3[1].gif
C:\Documents and Settings\Laptop\Local Settings\Temporary Internet Files\Content.IE5\816FA7KX\CA0X2JSH.


---------------------------------------------

Activescan log:

Incident Status Location

Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\Laptop\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
Adware:adware/ideskbar Not disinfected c:\winnt\system32\drivers\zpmodemnt.sys
Adware:adware/dloader Not disinfected c:\winnt\system32\msblank.html
Adware:adware/sbsoft Not disinfected c:\winnt\rdt.ini
Adware:adware/megatds Not disinfected Windows Registry
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Laptop\Cookies\[email protected][2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Laptop\Cookies\[email protected][1].txt
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\Laptop\Local Settings\Temp\Temporary Internet Files\Content.IE5\KR2X2NU3\wpad[1].htm
  • 0

Advertisements


#2
eddie5659

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
Hello slade_32, I'm currently reading over your log right now and I'll do my best to try to get your system clean :)

Since I'm still in training, there may be a slight delay between my posts because they must be checked by an expert.

Regards

eddie
  • 0

#3
slade_32

slade_32

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Thanks for the reply eddie. I'll wait to hear from you.
  • 0

#4
eddie5659

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\WINNT\system32\msdxm.ocx
  • Click on the submit button
  • Please post the results in your next reply.

Please download FixWareout from here:
http://downloads.sub.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

eddie
  • 0

#5
slade_32

slade_32

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Good morning eddie. I've done as requested, although it doesn't appear that the Jotti scan found anything. Following my HijackThis log is my Fixwareout log and Jotti log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:58 AM, on 2/4/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\tp4serv.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8EDB0DC7-ECDF-4E5B-A55C-FA0BEECC6DC0} - C:\WINNT\system32\deskad.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {37625982-645F-4516-8FA4-0EC7EA55AA5B} (CorasWorks My Workplace for Outlook - My Outlook) - https://cent.co-act....0ebcd7/MOLC.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 3955 bytes
----------------------------------

Username "Laptop" - 02/04/2008 9:52:31 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="csvnr.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{1D563DEC-33CD-4E5E-B174-8BF9C740CF10}
"nameserver"="85.255.114.11,85.255.112.73" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{9A849A83-D3B4-43DF-8C9C-ECDB8417D140}
"nameserver"="85.255.114.11,85.255.112.73" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "xedocne" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "repiwoh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "23plhps" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "mgcppp" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "tesvaf" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "golmedi" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "32refaselif" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "9" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "10" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "11" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "12" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "13" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "14" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "15" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "16" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "17" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "18" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "19" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "20" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "21" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "22" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "23" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "24" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "25" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "26" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "27" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "28" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "29" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "30" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "31" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "32" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "33" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "34" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "35" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "36" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "37" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "38" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "39" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "40" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "41" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "42" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "43" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "44" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "45" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "46" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "47" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "48" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "49" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "50" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "51" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "52" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "53" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "54" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "55" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "56" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "57" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "58" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "59" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "60" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "61" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "62" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "63" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "64" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "65" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "66" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "67" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "68" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "69" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "70" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "71" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "72" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "73" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "74" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "75" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "76" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "77" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "78" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "79" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "80" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "81" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "82" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "83" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "84" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "85" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "86" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "87" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "88" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "89" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "90" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "91" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "92" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "93" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "94" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "95" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "96" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "97" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "98" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "akkmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "99" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "100" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "101" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "102" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "103" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "104" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "105" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "106" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "107" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "108" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "109" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "110" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "111" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "112" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "113" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "114" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "115" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "116" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "117" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "118" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "119" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "120" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "121" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "122" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "123" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "124" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "125" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "126" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "127" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "128" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "129" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "130" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "131" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "132" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "133" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "134" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "135" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "136" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "137" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "138" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "139" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "140" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "141" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "142" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "143" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "144" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "145" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "146" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "147" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "148" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "149" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "150" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "151" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "152" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "153" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "154" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "155" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "156" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "157" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "158" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "159" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "160" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "161" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "xedocne" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "gib_ogol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "repiwoh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "llun" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23plhps" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "mgcppp" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "tesvaf" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "putesprpgd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "golmedi" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "32refaselif" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "rnvsc" Value deleted
HKCR\CLSID\{8C384094-F69B-45ED-A923-CD3913B16AC6}\_h\4 Deleted.
....
~~~~~ Misc files.
C:\Documents and Settings\Laptop\Application Data\Install.dat Deleted
C:\WINNT\RDT.INI Deleted
C:\WINNT\System32\close.bmp Deleted
C:\WINNT\System32\dating.bmp Deleted
C:\WINNT\System32\drivers\zpmodemnt.sys Deleted
C:\WINNT\System32\gambling.bmp Deleted
C:\WINNT\System32\idesk.conf Deleted
C:\WINNT\System32\insurance.bmp Deleted
C:\WINNT\System32\msblank.html Deleted
C:\WINNT\System32\pharmacy.bmp Deleted
C:\WINNT\System32\spyware.bmp Deleted
C:\WINNT\System32\xxx.bmp Deleted
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4serv.exe"
"Synchronization Manager"="mobsync.exe /logon"
"WG511WLU"="C:\\Program Files\\NETGEAR\\WG511\\Utility\\WG511WLU.exe -hide"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

Online malware scanJotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: msdxm.ocx
Status: OK
MD5: 71b4ec7ee27a6935d3c20b98f0d8ddf9
Packers detected: -
Bit9 reports: No threat detected (more info)

Scanner results
Scan taken on 04 Feb 2008 15:38:24 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does
not necessarily mean the file is clean. There could be a whole new virus
on the loose. NEVER EVER rely on one single product only, not even this
service, even though it utilizes several products. Therefore, We cannot
and will not be held responsible for any damage caused by results
presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure
this whole thing is by no means scientifically correct, since this is a
fully automated service (although manual correction is possible). We are
aware, in spite of efforts to proactively counter these, false positives
might occur, for example. We do not consider this a very big issue, so
please do not e-mail us about it. This is a simple online scan service,
not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the
fact some scanners use very high levels of (time consuming) heuristics.
Scanners used are Linux versions, differences with Windows scanners may or
may not occur. Another note: some scanners will only report one virus when
scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file.
Please refrain from uploading tons of hex-edited or repacked variants of
the same sample.

Please do not ask for viruses uploaded here, unless you work for an
anti-virus vendor. They are not for trade. This is a legitimate service,
not a VX site. Viruses uploaded here will be distributed to antivirus
vendors without exception. Read more about this in our privacy policy. If
you do not want your files to be distributed, please do not send them at
all.

Sponsored by HotelScraper.com.



Statistics
Last file scanned at least one scanner reported something about:
Isaac_Contact.exe (MD5: e4fc244c45ab50bc7993ce8ac7c30948, size: 2979081
bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV Trojan.Agent-9383
CPsecure X
Dr.Web BackDoor.JustFun
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Ikarus Backdoor.Win32.JustFun
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your
own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this
service.





Frequently asked questions - Feedback - Privacy policy



Page generated by JTPL

© 2004-2008 Jordi Bosveld <[email protected]>
  • 0

#6
eddie5659

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
Re-open HiJackThis and scan. Check the boxes of all the entries listed below.

O2 - BHO: (no name) - {8EDB0DC7-ECDF-4E5B-A55C-FA0BEECC6DC0} - C:\WINNT\system32\deskad.dll

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please delete this file using Windows Explorer(if present):

C:\WINNT\system32\deskad.dll

Restart your computer, and post a fresh HijackThis log.
  • 0

#7
slade_32

slade_32

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I've done as instructed. When I rebooted in safe mode, I could not find the file in the specified drive. I found a "deskadp.dll" (and did nothing with it) but that was it. Here is my log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:42:37 PM, on 2/6/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4serv.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {37625982-645F-4516-8FA4-0EC7EA55AA5B} (CorasWorks My Workplace for Outlook - My Outlook) - https://cent.co-act....0ebcd7/MOLC.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 3830 bytes
  • 0

#8
eddie5659

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
That's okay, deskadp.dll is a legit file :)

Hows the computer running now?


Also, although you're running AVG antispyware, you also need an antivirus program running, plus a firewall, to help against future infections:

Here are 2 free firewalls available for personal use:and a good antivirus (these are also free for personal use):It is critical to have both a firewall and anti virus to protect your system and to keep them updated.




We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

To keep your operating system up to date visit monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?

Have a safe and happy computing day!

eddie
  • 0

#9
slade_32

slade_32

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
The computer is running error-free, knock on wood. Your efforts are truly appreciated. One note, I completed the steps about un-selecting the hidden files and folder. However, I'm not sure how to perform the System Restore part - when I right click on My Computer and click Properties, there is no "System Restore" tab. The only tabs I see are General, Network Identification, Hardware, User Profiles and Advanced. Any ideas?

Thanks again for the help. I'm in the process of downloading some of your recommended anti-virus, firewall and malware programs.
  • 0

#10
eddie5659

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
Great, glad to hears its all okay again :)

As for the System Restore, I forgot you're running Windows 2000. As this is enabled by default, but this should work:

Go to Start | Control Panel | Administrative Tools | Services.

In there, locate the entry for System Restore Service. Rightclick and choose Properties. Under Service Status, press Stop, Apply and OK, then restart your pc.

When restarted, go back to the same Service, System Restore Service as before, and after selecting the Properties, select the option Start, Apply and OK.

eddie
  • 0

#11
slade_32

slade_32

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Eddie, sorry for the delay but I've been out of town. Anway, going into Control Panel/Admin Tools/Services, I see no entry for System Restore Service or anything remotely close. Any other ideas how to access the system restore?
  • 0

#12
eddie5659

eddie5659

    Trusted Helper

  • Malware Removal
  • 1,980 posts
  • MVP
You're right, there is no system restore on Windows 2000. Restoring 2000 is done a different way than normal (if needed), so we can leave that step alone :)

Just keep the programs that you're downloaded uptodate, and scan regularly, and that will protect your computer for the future :)

eddie
  • 0

#13
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP