Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Smitfraud Trojan... yet again


  • This topic is locked This topic is locked

#1
senor135

senor135

    New Member

  • Member
  • Pip
  • 7 posts
im posting this new topic on smitfraud because it seems to be a somewhat involved case-by-case removal process, unless im wrong hehe. anyway im hoping to remove this pesky s.o.b. so any help would be greatly appreciated.

when i first got it, i didnt realize it was a virus because i got it along with a ton of adware and spyware, and i assumed it was part of that. i got rid of most everything else im pretty sure, ive done recent scans with SpyBot and AdAware SE, and neither have found anything now. i also did 2 online scans with trendmircro's housecall and the first one came up with 11 infected files (i didnt check what they were exactly) and the second scan came up clean. when i first go the virus i got the same "Security Warning" background tha everyone gets, but it sort of went away and now i just have a plain black background (the color that i used behind the actual picture that i had as my desktop) but i still only get the two tabs "screensaver" and "settings" i just did the first hijackthis scan, after reading other threads on this and downloading it.

here's the log:

/auto
O4 - HKLM\..\Run: [bokysy] c:\windows\system32\vwmnyqh.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft AntiSpyware helper - {F87F8345-FF60-4155-91BA-74A6EFABBDBE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F87F8345-FF60-4155-91BA-74A6EFABBDBE} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

any help is appreciated

::Edit::
i dunno if this helps, and im sure the experts like bananafanafo know about it but i've noticed that something (the smitfraud virus i assume, unless i got something else too) creates an exe in the windows\system32 folder with 8 or so seemingly random letters. it shows up as a process and whenever you end that process it starts a new one with a different random filename, also it seems that removing it from the startup list in msconfig doesn't stop it. Deleting the .exe in the system32 folder doesn't seem to work either.

Edited by senor135, 26 April 2005 - 02:05 AM.

  • 0

Advertisements


#2
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Will you post the entire HiJackThis log (you cut off the top part)? I need everything that pulls up in the notepad, so I can see everything that's going on :tazz:
  • 0

#3
senor135

senor135

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
oh oops sorry here's a new log file:

Logfile of HijackThis v1.99.1
Scan saved at 3:36:30 AM, on 4/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\D-Tools\daemon.exe
c:\windows\system32\nycmlqg.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamespy.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7A00C31B-1D9D-4ED0-8885-478457F9CFEB} - C:\WINDOWS\System32\kkifb.dll (file missing)
O2 - BHO: (no name) - {EFF7DED7-3C12-44EB-3B52-6AB32CBE54B4} - C:\WINDOWS\System32\rwgjpid.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [lqaqwe] c:\windows\system32\nycmlqg.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft AntiSpyware helper - {F87F8345-FF60-4155-91BA-74A6EFABBDBE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F87F8345-FF60-4155-91BA-74A6EFABBDBE} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • 0

#4
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please run both of these online virus scans:
TrendMicro's HouseCall - check "Auto Clean"
ActiveScan

Save the results from ActiveScan and paste them here.
  • 0

#5
senor135

senor135

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
the trendmicro scan didnt find anything, but the panda activescan found lots of stuff (about 60 items) and disenfected about half

here is the Activescan log
========================================

Incident Status Location

Virus:Trj/Downloader.BWL Disinfected C:\Documents and Settings\J\1.dat
Virus:Trj/Downloader.CBY Disinfected C:\Documents and Settings\J\6.dat
Virus:Trj/Downloader.BBA Disinfected C:\Documents and Settings\J\7.dat
Adware:Adware/WUpd No disinfected C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\1MB7O0E3\a3[1].htm
Adware:Adware/WUpd No disinfected C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\1MB7O0E3\a3[2].htm
Virus:Trj/Downloader.BBO Disinfected C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\1MB7O0E3\black[1].ocx
Adware:Adware/WinAD No disinfected C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\1MB7O0E3\bridge-c7[1].cab
Adware:Adware/WinAD No disinfected C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\1MB7O0E3\bridge-c7[1].cab[MediaAccX.dll]
Adware:Adware/WUpd No disinfected C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\1MB7O0E3\MediaAccess[1].exe
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\1MB7O0E3\sploit[1].anr
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\1WBRTXWF\a1[1].htm
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\1WBRTXWF\a1[2].htm
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\1WBRTXWF\a1[3].htm
Adware:Adware/WUpd No disinfected C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\1WBRTXWF\a3[1].htm
Virus:Trj/Downloader.BBO Disinfected C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\1WBRTXWF\black[1].ocx
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\1WBRTXWF\sploit[1].anr
Virus:Trj/Downloader.BBO Disinfected C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\EOY4P6XZ\black[1].ocx
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\O46BWDO3\a1[1].htm
Adware:Adware/WUpd No disinfected C:\Documents and Settings\J\Local Settings\Temporary Internet Files\Content.IE5\O46BWDO3\a3[1].htm
Virus:Trj/Downloader.BWL Disinfected C:\Program Files\Avant Browser\Skins\1.dat
Adware:Adware/Trustbid No disinfected C:\Program Files\Avant Browser\Skins\1.exe
Possible Virus. No disinfected C:\Program Files\Avant Browser\Skins\2.exe
Virus:Trj/Downloader.CGL Disinfected C:\Program Files\Avant Browser\Skins\5.dat
Virus:Trj/Downloader.CBY Disinfected C:\Program Files\Avant Browser\Skins\6.dat
Virus:Trj/Downloader.BBA Disinfected C:\Program Files\Avant Browser\Skins\7.dat
Adware:Adware/Trustbid No disinfected C:\Program Files\Avant Browser\Skins\~update.exe
Virus:Trj/Downloader.BNN Disinfected C:\Program Files\Internet Explorer\nozvvlea.exe
Virus:Trj/Downloader.BNN Disinfected C:\Program Files\Internet Explorer\soibysxd.exe
Virus:Trj/Downloader.BNN Disinfected C:\Program Files\Internet Explorer\xsyhbqbw.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Bolger.dll
Adware:Adware/Apropos No disinfected C:\WINDOWS\cxtpls_loader.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\delprot.ini
Adware:Adware/ISearch No disinfected C:\WINDOWS\deskbar.ini
Adware:Adware/nCase No disinfected C:\WINDOWS\Downloaded Program Files\ClientAX.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\Downloaded Program Files\clientax.inf
Adware:Adware/WinAD No disinfected C:\WINDOWS\Downloaded Program Files\MediaAccX.dll
Virus:Trj/Downloader.BNN Disinfected C:\WINDOWS\Downloaded Program Files\nozvvlea.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\setup4002b.ini
Virus:Trj/Downloader.BNN Disinfected C:\WINDOWS\Downloaded Program Files\soibysxd.exe
Virus:Trj/Downloader.BNN Disinfected C:\WINDOWS\Downloaded Program Files\xsyhbqbw.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\installer_SIAC.exe
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\LastGood\Downloaded Program Files\MediaTicketsInstaller.INF
Adware:Adware/Transponder No disinfected C:\WINDOWS\Nail.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\shop1004.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\svcproc.exe
Virus:Trj/Downloader.BNN Disinfected C:\WINDOWS\system32\cmd32.exe
Virus:Trj/Delprot.A Disinfected C:\WINDOWS\system32\drivers\delprot.sys
Virus:Trj/Agent.PF Disinfected C:\WINDOWS\system32\DrPMon.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\haso.exe
Virus:Trj/Downloader.BBA Disinfected C:\WINDOWS\system32\intfsdffdsronsad.exe
Virus:Trj/Downloader.CGL Disinfected C:\WINDOWS\system32\intronsad.exe
Virus:Trj/Downloader.BWL Disinfected C:\WINDOWS\system32\izxxzdsafsafczxcr.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\rwgjpid.dll
Adware:Adware/Trustbid No disinfected C:\WINDOWS\system32\wi32.exe
Adware:Adware/IGuard No disinfected C:\WINDOWS\system32\wldr.dll
Virus:Bck/Sdbot.CYK Disinfected C:\WINDOWS\system32\woxlrpt.exe
Possible Virus. No disinfected C:\WINDOWS\winos.exe
Possible Virus. No disinfected F:\Files\Downloads\rw_1_4_1_6.EXE[FPUPDATE.EXE]
Possible Virus. No disinfected F:\Files\Downloads\rw_mk1d3(roger wilco).EXE[FPUPDATE.EXE]
  • 0

#6
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
First, download, install, and run CleanUp! (so the scan won't take as long because cleanup will clear temporary files)

Then, please download Ewido Security Suite, install it, then be sure to update it (it won't scan until it's updated). Let it scan your computer (it may take a little while). Post the results from the scan. along with a new HiJackThis log.
  • 0

#7
senor135

senor135

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
thanks again for the help so far
here's the ewido scan log and hijackthis log:

ewido scan:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:21:45 PM, 4/28/2005
+ Report-Checksum: 2BC071D5

+ Date of database: 4/29/2005
+ Version of scan engine: v3.0

+ Duration: 23 min
+ Scanned Files: 59363
+ Speed: 42.67 Files/Second
+ Infected files: 11
+ Removed files: 11
+ Files put in quarantine: 11
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
F:\

+ Scan result:
C:\WINDOWS\Bolger.dll -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\cxtpls_loader.exe -> Spyware.Apropos.b -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll -> Spyware.WinAD -> Cleaned with backup
C:\WINDOWS\installer_SIAC.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\shop1004.exe -> Spyware.Sahat.m -> Cleaned with backup
C:\WINDOWS\system32\haso.exe -> Spyware.PurityScan.w -> Cleaned with backup
C:\WINDOWS\system32\rwgjpid.dll -> Spyware.PurityScan.ak -> Cleaned with backup
C:\WINDOWS\system32\vgdcjyi.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\wldr.dll -> TrojanDownloader.Agent.le -> Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__DrPMon.dll -> Trojan.Agent.db -> Cleaned with backup


::Report End

================================================
================================================

Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:26:27 PM, on 4/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\D-Tools\daemon.exe
c:\windows\system32\hhhbcnu.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamespy.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7A00C31B-1D9D-4ED0-8885-478457F9CFEB} - C:\WINDOWS\System32\kkifb.dll (file missing)
O2 - BHO: (no name) - {EFF7DED7-3C12-44EB-3B52-6AB32CBE54B4} - C:\WINDOWS\System32\rwgjpid.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [icpqai] c:\windows\system32\hhhbcnu.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft AntiSpyware helper - {F87F8345-FF60-4155-91BA-74A6EFABBDBE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F87F8345-FF60-4155-91BA-74A6EFABBDBE} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • 0

#8
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I'll take a look at it and be back as soon as possible! :tazz:
  • 0

#9
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid


Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the following processes:

List any files going to be deleted that are running

Exit Task Manager.

I need you to copy all of the Killbox instructions below and paste them into Notepad and save it for use while in Safe Mode.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
Unzip it to the desktop but do NOT run it yet.

* Please reboot into Safe Mode by restarting your computer and tapping F8 continuously as your computer is booting up until a menu appears. use your up arrow key to highlight "Safe Mode", then hit enter

* Once in Safe Mode, please run Killbox.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy the file names below to the clipboard by highlighting them and pressing CTRL + C:

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually. While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Yes, we need you to go back into Safe Mode!

Make sure you can view hidden files.

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

Reboot into normal mode.

*Download and install Registrar Lite version 2.00
*Double click the purple Registrar Lite icon on your desktop.
*Copy the line below and paste it into the "Address" field (located at the top) of the program:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

*Click the "Go" button.
*It will take you into the "Policies" folder.
*Locate the "System" folder (in the right panel)
*If found, right-click on the System folder and go to Delete
*Be very careful that you only delete the System folder that is inside the Policies folder.

Reboot your computer again.

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Download: http://www.mvps.org/winhelp2002/DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log.
  • 0

#10
senor135

senor135

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
sorry for the delay here's the log file

Logfile of HijackThis v1.99.1
Scan saved at 3:29:47 PM, on 5/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\D-Tools\daemon.exe
c:\windows\system32\wqexhc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamespy.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7A00C31B-1D9D-4ED0-8885-478457F9CFEB} - C:\WINDOWS\System32\kkifb.dll (file missing)
O2 - BHO: (no name) - {EFF7DED7-3C12-44EB-3B52-6AB32CBE54B4} - C:\WINDOWS\System32\rwgjpid.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [exwjewb] c:\windows\system32\wqexhc.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Microsoft AntiSpyware helper - {F87F8345-FF60-4155-91BA-74A6EFABBDBE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F87F8345-FF60-4155-91BA-74A6EFABBDBE} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
  • 0

Advertisements


#11
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please follow ALL instructions carefully!

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below service:

System Startup Service (or SvcProc)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Then, Run HiJackThis. Click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy and paste):

SvcProc

Click ok.

It should pull up information about the service, when it asks if you want to reboot now click NO.

I need you to copy all of the Killbox instructions below and paste them into Notepad.

* In normal mode this time, please run Killbox.exe.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C:

c:\windows\system32\wqexhc.exe
C:\Program Files\Avant Browser\Skins\1.exe
C:\Program Files\Avant Browser\Skins\2.exe
C:\Program Files\Avant Browser\Skins\~update.exe
C:\WINDOWS\Bolger.dll
C:\WINDOWS\cxtpls_loader.exe
C:\WINDOWS\delprot.ini
C:\WINDOWS\deskbar.ini
C:\WINDOWS\Downloaded Program Files\ClientAX.dll
C:\WINDOWS\Downloaded Program Files\clientax.inf
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll
C:\WINDOWS\Downloaded Program Files\setup4002b.ini
C:\WINDOWS\installer_SIAC.exe
C:\WINDOWS\LastGood\Downloaded Program Files\MediaTicketsInstaller.INF
C:\WINDOWS\Nail.exe
C:\WINDOWS\shop1004.exe
C:\WINDOWS\svcproc.exe
C:\WINDOWS\system32\haso.exe
C:\WINDOWS\system32\rwgjpid.dll
C:\WINDOWS\system32\wi32.exe
C:\WINDOWS\system32\wldr.dll
C:\WINDOWS\winos.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting please tap the F8 key to enter Safe Mode.
While in Safe Mode, run HiJackThis. Place a check next to the following items, if found, and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamespy.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)

O2 - BHO: (no name) - {7A00C31B-1D9D-4ED0-8885-478457F9CFEB} - C:\WINDOWS\System32\kkifb.dll (file missing)
O2 - BHO: (no name) - {EFF7DED7-3C12-44EB-3B52-6AB32CBE54B4} - C:\WINDOWS\System32\rwgjpid.dll (file missing)

O4 - HKLM\..\Run: [exwjewb] c:\windows\system32\wqexhc.exe

O9 - Extra button: Microsoft AntiSpyware helper - {F87F8345-FF60-4155-91BA-74A6EFABBDBE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F87F8345-FF60-4155-91BA-74A6EFABBDBE} - (no file) (HKCU)

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


Reboot into normal mode and post a new HiJackThis log.
  • 0

#12
senor135

senor135

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I followed the instructions but it seems that the SvcProc service is still there

Logfile of HijackThis v1.99.1
Scan saved at 10:32:56 PM, on 5/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Edited by senor135, 11 May 2005 - 11:46 PM.

  • 0

#13
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
That's because Aurora is still there. Did you follow all of my instructions - specifically with Killbox?
  • 0

#14
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please do this part again...

I need you to copy all of the Killbox instructions below and paste them into Notepad.

* In normal mode this time, please run Killbox.exe.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

c:\windows\system32\wqexhc.exe
C:\Program Files\Avant Browser\Skins\1.exe
C:\Program Files\Avant Browser\Skins\2.exe
C:\Program Files\Avant Browser\Skins\~update.exe
C:\WINDOWS\Bolger.dll
C:\WINDOWS\cxtpls_loader.exe
C:\WINDOWS\delprot.ini
C:\WINDOWS\deskbar.ini
C:\WINDOWS\Downloaded Program Files\ClientAX.dll
C:\WINDOWS\Downloaded Program Files\clientax.inf
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll
C:\WINDOWS\Downloaded Program Files\setup4002b.ini
C:\WINDOWS\installer_SIAC.exe
C:\WINDOWS\LastGood\Downloaded Program Files\MediaTicketsInstaller.INF
C:\WINDOWS\Nail.exe
C:\WINDOWS\shop1004.exe
C:\WINDOWS\svcproc.exe
C:\WINDOWS\system32\haso.exe
C:\WINDOWS\system32\rwgjpid.dll
C:\WINDOWS\system32\wi32.exe
C:\WINDOWS\system32\wldr.dll
C:\WINDOWS\winos.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

After your computer reboots do the following:

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below service:

System Startup Service (or SvcProc)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Then, Run HiJackThis. Click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy and paste):

SvcProc

Click ok.

It should pull up information about the service, when it asks if you want to reboot now click YES.

Post a new HijackThis log.

Edited by bananafanafo, 12 May 2005 - 12:29 AM.

  • 0

#15
senor135

senor135

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Logfile of HijackThis v1.99.1
Scan saved at 1:28:51 PM, on 5/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\wuauclt.exe
c:\windows\system32\okpppb.exe
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [mygafud] c:\windows\system32\okpppb.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP