Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can you help me with my HiJackThis Log? [RESOLVED]


  • This topic is locked This topic is locked

#1
vaaron

vaaron

    Member

  • Member
  • PipPip
  • 17 posts
Logfile of HijackThis v1.99.1
Scan saved at 17:19:15, on 27/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\ARCHIVOS DE PROGRAMA\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\WINDOWS\System32\svcnet.exe
C:\Archivos de programa\RefreshLock\RefreshLock.exe
C:\WINDOWS\System32\intmonp.exe
C:\archivos de programa\microangelo\muamgr.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\SSMS.EXE
C:\WINDOWS\System32\service.exe
C:\WINDOWS\system32\LSSAS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\csrs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Instaladores\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6DA975EA-CBB4-411B-97C0-DB0A892BF2C1} - C:\WINDOWS\System32\zihiq.dll
O2 - BHO: (no name) - {D1A28908-E0FD-29FD-E569-0071D816C084} - C:\WINDOWS\System32\cihooin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Jet Detection] "C:\Archivos de programa\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [hppwrsav] C:\ARCHIVOS DE PROGRAMA\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Shellapi32] svcnet.exe
O4 - HKLM\..\Run: [RefreshLock] C:\Archivos de programa\RefreshLock\RefreshLock.exe
O4 - HKLM\..\Run: [MOD] c:\archivos de programa\microangelo\muamgr.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [I/O Controllers] svcnet.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Shellapi32] svcnet.exe
O4 - HKCU\..\Run: [I/O Controllers] svcnet.exe
O4 - Startup: Acceso directo a RefreshLock.exe.lnk = C:\Archivos de programa\RefreshLock\RefreshLock.exe
O8 - Extra context menu item: Convert to Palm e-Book - C:\Archivos de programa\PUG-WavePDB\WavePDB.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\ARCHIV~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\ARCHIV~1\ICQ\ICQ.exe
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\ARCHIV~1\DAP\DAP.EXE
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) -
O23 - Service: COM+ System Service - Unknown owner - C:\WINDOWS\system32\SSMS.EXE
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\System32\service.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ptingedeers - Parallel Technologies, Inc. - (no file)
O23 - Service: StyleXPService - Unknown owner - C:\Archivos de programa\TGTSoft\StyleXP\StyleXPService.exe
  • 0

Advertisements


#2
vaaron

vaaron

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Please Help me !!!
  • 0

#3
vaaron

vaaron

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Please Help me
  • 0

#4
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Welcome to Geeks to Go!

I apologize for the wait! Is your background blue with a fake warning message on it?

First, download, install, and run CleanUp! (so the scan won't take as long because cleanup will clear temporary files) *NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, backup it up or move it to a permanent folder prior to running Cleanup!

Please download ewido security suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.

Once the updates are installed do the following:
  • Reboot into Safe Mode, then run Ewido.
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
Reboot your machine and post back a new HiJackThis log and the ewido .txt log file you saved.

Edited by bananafanafo, 03 May 2005 - 11:17 PM.

  • 0

#5
vaaron

vaaron

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hey bananafanafo, so many thanks !!
It now works perfect
Thx for your time mate... and for bothering...


Here's the log


---------------------------------------------------------
ewido security suite - Report de exploración
---------------------------------------------------------

+ Creado en: 15:41:44, 04/05/2005
+ Report-Checksum: BD3ABCF4

+ Fecha de la base de datos: 04/05/2005
+ Versión del scanner: v3.0

+ Duración: 46 min
+ Archivos explorados: 57925
+ Velocidad: 20.61 Archivos/Segundo
+ Archivos infectados: 22
+ Archivos eliminados: 22
+ Archivos puestos en cuarentena: 22
+ Archivos que no se han podido abrir: 0
+ Archivos que no se han podido limpiar: 0

+ Carpeta: Si
+ Encriptar: Si
+ Archivos: Si

+ Items explorados:
C:\

+ Resultados de la exploración:
C:\WINDOWS\system32\zihiq.dll -> TrojanDownloader.Agent.au -> Limpio con backup
C:\WINDOWS\system32\ntnh32.dll -> TrojanDownloader.Agent.bq -> Limpio con backup
C:\WINDOWS\system32\cihooin.dll -> Spyware.AdultIt.a -> Limpio con backup
C:\WINDOWS\system32\f3PSSavr.scr -> Spyware.MyWebSearch -> Limpio con backup
C:\WINDOWS\system32\svcnet.exe -> Worm.Tibick.d -> Limpio con backup
C:\WINDOWS\system32\ole32vbs.exe -> Trojan.Favadd.u -> Limpio con backup
C:\WINDOWS\system32\intmonp.exe -> Trojan.Puper.b -> Limpio con backup
C:\WINDOWS\system32\msole32.exe -> Spyware.Agent.cr -> Limpio con backup
C:\WINDOWS\popuper.exe -> Trojan.Puper.b -> Limpio con backup
C:\WINDOWS\fsxdug.dat -> TrojanDownloader.Agent.bq -> Limpio con backup
C:\WINDOWS\gkcxej.dat -> TrojanDownloader.Agent.bq -> Limpio con backup
C:\WINDOWS\htmbtw.dat -> TrojanDownloader.Agent.bq -> Limpio con backup
C:\WINDOWS\pieawd.dat -> TrojanDownloader.Agent.bq -> Limpio con backup
C:\Documents and Settings\Vaaron\Cookies\vaaron@myway[1].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Archivos de programa\ACD Systems\ACDSee\7.0\acdsee 7.0.61 crack.exe -> Worm.Tibick.d -> Limpio con backup
C:\Archivos de programa\MyWay\myBar\1.bin\MY2NS.EXE -> Spyware.MyWay.b -> Limpio con backup
C:\Archivos de programa\MyWay\myBar\1.bin\MYBAR.DLL -> Spyware.Toolbar.MyWay.c -> Limpio con backup
C:\Archivos de programa\MyWay\myBar\1.bin\MYWAYPLUGINPROXY.CLASS -> Spyware.MyWay -> Limpio con backup
C:\Archivos de programa\MyWay\myBar\1.bin\NPMYWAY.DLL -> Spyware.MyWay.e -> Limpio con backup
C:\Archivos de programa\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL -> Spyware.MyWay.c -> Limpio con backup
C:\Archivos de programa\Microsoft AntiSpyware\Quarantine\D78ACC16-1031-4B3E-9980-1CDB57\E2B1E133-332B-46D8-BDE4-09486F -> Spyware.Suggestor.g -> Limpio con backup
C:\wp.exe -> Trojan.Agent.ct -> Limpio con backup


::Fin Report
  • 0

#6
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Will you post a new HijackThis log, please :tazz:
  • 0

#7
vaaron

vaaron

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Sure !!!!!!!!





Logfile of HijackThis v1.99.1
Scan saved at 16:58:07, on 04/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\service.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\ARCHIVOS DE PROGRAMA\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\WINDOWS\system32\csrs.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\RefreshLock\RefreshLock.exe
C:\archivos de programa\microangelo\muamgr.exe
C:\WINDOWS\mHotkey.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Instaladores\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6DA975EA-CBB4-411B-97C0-DB0A892BF2C1} - (no file)
O2 - BHO: (no name) - {D1A28908-E0FD-29FD-E569-0071D816C084} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKLM\..\Run: [hppwrsav] C:\ARCHIVOS DE PROGRAMA\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [RefreshLock] C:\Archivos de programa\RefreshLock\RefreshLock.exe
O4 - HKLM\..\Run: [MOD] c:\archivos de programa\microangelo\muamgr.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - Startup: Acceso directo a RefreshLock.exe.lnk = C:\Archivos de programa\RefreshLock\RefreshLock.exe
O8 - Extra context menu item: Convert to Palm e-Book - C:\Archivos de programa\PUG-WavePDB\WavePDB.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\ARCHIV~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\ARCHIV~1\ICQ\ICQ.exe
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\ARCHIV~1\DAP\DAP.EXE
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O23 - Service: COM+ System Service - Unknown owner - C:\WINDOWS\system32\SSMS.EXE
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\System32\service.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ptingedeers - Parallel Technologies, Inc. - (no file)
O23 - Service: StyleXPService - Unknown owner - C:\Archivos de programa\TGTSoft\StyleXP\StyleXPService.exe
  • 0

#8
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Download: http://www.mvps.org/.../DelDomains.inf to your desktop.

To use: right-click on DelDomain.inf and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

While you're doing that, I'll work on what needs to be removed from your log :tazz:
  • 0

#9
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Reboot into Safe Mode. You can do this by restarting your computer, then continually tapping the F8 key until a menu appears. Use your up arrow Key to highlight Safe Mode, then hit enter.

While in Safe Mode, Run HijackThis. Place a check next to the following items and click FIX CHECKED:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O2 - BHO: (no name) - {6DA975EA-CBB4-411B-97C0-DB0A892BF2C1} - (no file)
O2 - BHO: (no name) - {D1A28908-E0FD-29FD-E569-0071D816C084} - (no file)

O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)

O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) -


Reboot in normal mode.

You do have some worms and worm "services" that need to be removed from your system!

Press CTRL ALT DELETE and click on the processes tab. End the following processes:

service.exe (make sure to end the one WITHOUT the "s" on the end of service)
csrs.exe

Exit Task Manager.

Then, Please run this online virus scan:
ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log.

Edited by bananafanafo, 04 May 2005 - 02:30 PM.

  • 0

#10
vaaron

vaaron

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi again !!!

here's my activescan log



Incident Status Location

Adware:Adware/eZula No disinfected Windows Registry
Adware:Adware/MyWay No disinfected C:\Archivos de programa\MyWay
Adware:Adware/KeenValue No disinfected Windows Registry
Adware:Adware/Startpage.LH No disinfected C:\Documents and Settings\Vaaron\Favoritos\Insurance\Auto Insurance.url
Adware:Adware/MyWebSearch No disinfected Windows Registry
Virus:W32/Randon.CH.worm Disinfected C:\WINDOWS\system32\tmp~2.exe
Virus:Trj/Multidropper.GV Disinfected C:\WINDOWS\system32\msmqins.dll
Virus:Trj/Multidropper.GV Disinfected C:\WINDOWS\system32\ntio40.sys
Adware:Adware/nCase No disinfected C:\WINDOWS\iNetPal\EZThemes_m3tsp8.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\woinstall.exe
Adware:Adware/Startpage.LH No disinfected C:\Documents and Settings\Vaaron\Favoritos\Insurance\Auto Insurance.url
Adware:Adware/Startpage.LH No disinfected C:\Documents and Settings\Vaaron\Favoritos\Insurance\Health Insurance.url
Adware:Adware/Startpage.LH No disinfected C:\Documents and Settings\Vaaron\Favoritos\Insurance\Home Insurance.url
Adware:Adware/Startpage.LH No disinfected C:\Documents and Settings\Vaaron\Favoritos\Insurance\Travel Insurance.url
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Vaaron\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-79baf131-4ec9debb.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Vaaron\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-79baf131-4ec9debb.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Vaaron\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-79baf131-4ec9debb.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Vaaron\Datos de programa\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-79baf131-4ec9debb.zip[Beyond.class]
Virus:W32/Sober.V.worm Disinfected Carpetas locales\Elementos eliminados\Re:\[our_secret.zip][Winzipped-Text_Data.txt .pif]


And here's my HiJackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 22:50:35, on 04/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIVOS DE PROGRAMA\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\Archivos de programa\RefreshLock\RefreshLock.exe
C:\archivos de programa\microangelo\muamgr.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\System32\service.exe
C:\WINDOWS\system32\csrs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Instaladores\Spyware\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hppwrsav] C:\ARCHIVOS DE PROGRAMA\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [RefreshLock] C:\Archivos de programa\RefreshLock\RefreshLock.exe
O4 - HKLM\..\Run: [MOD] c:\archivos de programa\microangelo\muamgr.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - Startup: Acceso directo a RefreshLock.exe.lnk = C:\Archivos de programa\RefreshLock\RefreshLock.exe
O8 - Extra context menu item: Convert to Palm e-Book - C:\Archivos de programa\PUG-WavePDB\WavePDB.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\ARCHIV~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\ARCHIV~1\ICQ\ICQ.exe
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\ARCHIV~1\DAP\DAP.EXE
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: COM+ System Service - Unknown owner - C:\WINDOWS\system32\SSMS.EXE
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\System32\service.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ptingedeers - Parallel Technologies, Inc. - (no file)



THANKS AGAIN !
  • 0

Advertisements


#11
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I need you to copy all of the Killbox instructions below and paste them into Notepad and save it.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C:

C:\Archivos de programa\MyWay
C:\WINDOWS\iNetPal\EZThemes_m3tsp8.exe
C:\WINDOWS\woinstall.exe
C:\Documents and Settings\Vaaron\Favoritos\Insurance\Auto Insurance.url
C:\Documents and Settings\Vaaron\Favoritos\Insurance\Health Insurance.url
C:\Documents and Settings\Vaaron\Favoritos\Insurance\Home Insurance.url
C:\Documents and Settings\Vaaron\Favoritos\Insurance\Travel Insurance.url


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

After your computer reboots, please follow these instructions to make sure all the Java viruses are gone:

1. Click Start > Control Panel.

2. Double-click the Java icon (coffee cup) in the control panel. (Let me know if it says "Java Plug-in" under the icon because you won't be able to follow my directions if it does).

3. Click Settings under Temporary Internet Files.

4. Click Delete Files.

There are three options on this window to clear the cache - leave ALL 3 checked.
1. Delete Files
2. View Applications
3. View Applets

5. Click OK on Delete Temporary Files window.
Note: This deletes all the Downloaded Applications and Applets from the cache.

6. Click OK on Temporary Files Settings window.

7. Click OK to leave the Java Control Panel.
  • 0

#12
vaaron

vaaron

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I'll do that and tell you.

Thx !!!!!!
  • 0

#13
vaaron

vaaron

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hey mate, here's my new hijackthis log.
Am I clean now?
Many thx !!




Logfile of HijackThis v1.99.1
Scan saved at 15:45:36, on 11/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARCHIVOS DE PROGRAMA\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\Archivos de programa\RefreshLock\RefreshLock.exe
C:\archivos de programa\microangelo\muamgr.exe
C:\WINDOWS\mHotkey.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\service.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\csrs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Instaladores\Spyware\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hppwrsav] C:\ARCHIVOS DE PROGRAMA\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [RefreshLock] C:\Archivos de programa\RefreshLock\RefreshLock.exe
O4 - HKLM\..\Run: [MOD] c:\archivos de programa\microangelo\muamgr.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - Startup: Acceso directo a RefreshLock.exe.lnk = C:\Archivos de programa\RefreshLock\RefreshLock.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\ARCHIV~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\ARCHIV~1\ICQ\ICQ.exe
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: COM+ System Service - Unknown owner - C:\WINDOWS\system32\SSMS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\System32\service.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ptingedeers - Parallel Technologies, Inc. - (no file)
  • 0

#14
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Not quite, I'll be right back!

Michelle :tazz:
  • 0

#15
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I need you to copy all of the Killbox instructions below and paste them into Notepad and save it.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C:

C:\WINDOWS\system32\SSMS.EXE
C:\WINDOWS\System32\service.exe
C:\WINDOWS\system32\csrs.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

After your computer reboots, run HiJackThis and place a check next to these items, if found, and click FIX CHECKED:

O23 - Service: COM+ System Service - Unknown owner - C:\WINDOWS\system32\SSMS.EXE
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\System32\service.exe
O23 - Service: Ptingedeers - Parallel Technologies, Inc. - (no file)


Post a new HijackThis log.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP