Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Referred]Adware SE doesn't find spyware

Started by SSergey , Apr 28 2005 10:00 AM

This topic is locked

#1
SSergey

Posted 28 April 2005 - 10:00 AM

Member

Member
10 posts

I have a problem: a spyware which places shortcuts on my desktop, opens popups and changes homepage to "www.newgenlook.info....". And it also placed a red icon with the white cross near the clock. I've tried at least 10 different programs, and any of it couldn't find this adware. Please, help me. :tazz:

Here is Ad-Aware's SE log.

Ad-Aware SE Build 1.05
Logfile Created on:ceturtdiena, 2005. gada 28. aprîlî 18:31:01
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R41 25.04.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
None
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R41 25.04.2005
Internal build : 48
File location : D:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 462131 Bytes
Total size : 1397647 Bytes
Signature data size : 1367126 Bytes
Reference data size : 30009 Bytes
Signatures total : 39003
Fingerprints total : 816
Fingerprints size : 28835 Bytes
Target categories : 15
Target families : 650

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:27 %
Total physical memory:261616 kb
Available physical memory:70212 kb
Total page file size:635012 kb
Available on page file:483976 kb
Total virtual memory:2097024 kb
Available virtual memory:2047232 kb
OS:Microsoft Windows XP Professional Service Pack 1 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Play sound at scan completion if scan locates critical objects

04-28-2005 18:31:01 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 472
ThreadCreationTime : 04-28-2005 15:29:44
BasePriority : Normal

#:2 [csrss.exe]
ModuleName : \??\D:\WINDOWS\system32\csrss.exe
Command Line : D:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 528
ThreadCreationTime : 04-28-2005 15:29:47
BasePriority : Normal

#:3 [winlogon.exe]
ModuleName : \??\D:\WINDOWS\SYSTEM32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 552
ThreadCreationTime : 04-28-2005 15:29:48
BasePriority : High

#:4 [services.exe]
ModuleName : D:\WINDOWS\system32\services.exe
Command Line : D:\WINDOWS\system32\services.exe
ProcessID : 596
ThreadCreationTime : 04-28-2005 15:29:48
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : D:\WINDOWS\system32\lsass.exe
Command Line : D:\WINDOWS\system32\lsass.exe
ProcessID : 608
ThreadCreationTime : 04-28-2005 15:29:48
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
ModuleName : D:\WINDOWS\System32\Ati2evxx.exe
Command Line : D:\WINDOWS\System32\Ati2evxx.exe
ProcessID : 764
ThreadCreationTime : 04-28-2005 15:29:48
BasePriority : Normal

#:7 [svchost.exe]
ModuleName : D:\WINDOWS\system32\svchost.exe
Command Line : D:\WINDOWS\system32\svchost -k rpcss
ProcessID : 804
ThreadCreationTime : 04-28-2005 15:29:49
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : D:\WINDOWS\System32\svchost.exe
Command Line : D:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 856
ThreadCreationTime : 04-28-2005 15:29:49
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : D:\WINDOWS\System32\svchost.exe
Command Line : D:\WINDOWS\System32\svchost.exe -k NetworkService
ProcessID : 1012
ThreadCreationTime : 04-28-2005 15:29:49
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : D:\WINDOWS\System32\svchost.exe
Command Line : D:\WINDOWS\System32\svchost.exe -k LocalService
ProcessID : 1068
ThreadCreationTime : 04-28-2005 15:29:50
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [ati2evxx.exe]
ModuleName : D:\WINDOWS\SYSTEM32\Ati2evxx.exe
Command Line : Ati2evxx.exe -Client
ProcessID : 1196
ThreadCreationTime : 04-28-2005 15:29:51
BasePriority : Normal

#:12 [explorer.exe]
ModuleName : D:\WINDOWS\Explorer.EXE
Command Line : D:\WINDOWS\Explorer.EXE
ProcessID : 1252
ThreadCreationTime : 04-28-2005 15:29:51
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:13 [spoolsv.exe]
ModuleName : D:\WINDOWS\system32\spoolsv.exe
Command Line : D:\WINDOWS\system32\spoolsv.exe
ProcessID : 1312
ThreadCreationTime : 04-28-2005 15:29:51
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:14 [soundman.exe]
ModuleName : D:\WINDOWS\SOUNDMAN.EXE
Command Line : "D:\WINDOWS\SOUNDMAN.EXE"
ProcessID : 1416
ThreadCreationTime : 04-28-2005 15:29:51
BasePriority : Normal
FileVersion : 5.1.14
ProductVersion : 5.1.14
ProductName : Realtek Sound Manager
CompanyName : Realtek Semiconductor Corp.
FileDescription : Realtek Sound Manager
InternalName : ALSMTray
LegalCopyright : Copyright © 2001-2003 Realtek Semiconductor Corp.
OriginalFilename : ALSMTray.exe
Comments : Realtek AC97 Audio Sound Manager

#:15 [trayap~2.exe]
ModuleName : D:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~2.EXE
Command Line : "D:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~2.EXE"
ProcessID : 1424
ThreadCreationTime : 04-28-2005 15:29:51
BasePriority : Normal
FileVersion : 6, 3, 26, 0
ProductVersion : 6, 0, 26, 0
ProductName : Nokia Tray Application
FileDescription : Nokia Tray Application
InternalName : Nokia Tray Application
LegalCopyright : Copyright © 2001 - 2004 Nokia. All Rights Reserved.
OriginalFilename : TrayApplication.EXE

#:16 [lvagent.exe]
ModuleName : D:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lvagent.exe
Command Line : "D:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lvagent.exe" /STARTUP
ProcessID : 1448
ThreadCreationTime : 04-28-2005 15:29:51
BasePriority : Normal
FileVersion : 10.0.0.213
ProductVersion : 10.0.0.213
ProductName : Lingvo
CompanyName : ABBYY (BIT Software)
FileDescription : Lingvo Launcher
InternalName : LvAgent
LegalCopyright : Copyright © 2004 ABBYY Software Ltd.
LegalTrademarks : ABBYY® Lingvo®, ABBYY Lingvo Tutor ™ are trademarks or registered trademarks of ABBYY Software Ltd.
OriginalFilename : LvAgent.exe

#:17 [datala~2.exe]
ModuleName : D:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~2.EXE
Command Line : "D:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~2.EXE"
ProcessID : 1472
ThreadCreationTime : 04-28-2005 15:29:52
BasePriority : Normal
FileVersion : 6, 3, 72, 2
ProductVersion : 5, 0
ProductName : Nokia PC Suite
CompanyName : Nokia Mobile Phones Ltd.
FileDescription : DataLayer 2.0 Module
InternalName : DataLayer 2.0
LegalCopyright : Copyright © 2004. Nokia. All rights reserved.
OriginalFilename : DataLayer.exe

#:18 [atiptaxx.exe]
ModuleName : D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Command Line : "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
ProcessID : 1480
ThreadCreationTime : 04-28-2005 15:29:52
BasePriority : Normal
FileVersion : 6.14.10.5120
ProductVersion : 6.14.10.5120
ProductName : ATI Desktop Component
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
LegalCopyright : Copyright © 1998-2004 ATI Technologies Inc.
OriginalFilename : Atiptaxx.exe

#:19 [sensiva.exe]
ModuleName : D:\Program Files\Sensiva\Sensiva.exe
Command Line : "D:\Program Files\Sensiva\Sensiva.exe"
ProcessID : 1488
ThreadCreationTime : 04-28-2005 15:29:52
BasePriority : Normal
FileVersion : 3, 1, 1, 0
ProductVersion : 3, 1, 1, 0
ProductName : Sensiva
CompanyName : Sensiva, Inc.
FileDescription : Sensiva v3 for Windows
InternalName : Sensiva
LegalCopyright : © 2001 Sensiva, Inc. All rights reserved.
OriginalFilename : Sensiva.exe
Comments : Latest versions available at www.sensiva.com

#:20 [ctfmon.exe]
ModuleName : D:\WINDOWS\System32\ctfmon.exe
Command Line : "D:\WINDOWS\System32\ctfmon.exe"
ProcessID : 1504
ThreadCreationTime : 04-28-2005 15:29:52
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:21 [msnmsgr.exe]
ModuleName : D:\Program Files\MSN Messenger\msnmsgr.exe
Command Line : "D:\Program Files\MSN Messenger\msnmsgr.exe"
ProcessID : 1552
ThreadCreationTime : 04-28-2005 15:29:52
BasePriority : Normal
FileVersion : 7.0.0777
ProductVersion : 7.0.0777
ProductName : MSN Messenger
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
LegalCopyright : Copyright © Microsoft Corporation 1997-2004
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msnmsgr.exe

#:22 [servic~2.exe]
ModuleName : D:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~2.EXE
Command Line : D:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~2.EXE -Embedding
ProcessID : 1640
ThreadCreationTime : 04-28-2005 15:29:53
BasePriority : Normal
FileVersion : 6, 3, 15, 0
ProductVersion : 6.0
ProductName : Nokia Connectivity Library
CompanyName : Nokia.
FileDescription : ServiceLayer Module
InternalName : ServiceLayer
LegalCopyright : Copyright © 2002-2004 Nokia. All Rights Reserved.
OriginalFilename : ServiceLayer.exe

#:23 [gcasdtserv.exe]
ModuleName : D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
Command Line : "D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe"
ProcessID : 1792
ThreadCreationTime : 04-28-2005 15:29:55
BasePriority : Normal
FileVersion : 1.00.0509
ProductVersion : 1.00.0509
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Data Service
InternalName : gcasDtServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet™ is a trademark of Microsoft Corporation.
OriginalFilename : gcasDtServ.exe

#:24 [cisvc.exe]
ModuleName : D:\WINDOWS\system32\cisvc.exe
Command Line : D:\WINDOWS\system32\cisvc.exe
ProcessID : 1908
ThreadCreationTime : 04-28-2005 15:29:59
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cisvc.exe

#:25 [locator.exe]
ModuleName : D:\WINDOWS\System32\locator.exe
Command Line : D:\WINDOWS\System32\locator.exe
ProcessID : 2012
ThreadCreationTime : 04-28-2005 15:30:03
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Rpc Locator
InternalName : locator.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : locator.exe

#:26 [svchost.exe]
ModuleName : D:\WINDOWS\System32\svchost.exe
Command Line : D:\WINDOWS\System32\svchost.exe -k imgsvc
ProcessID : 244
ThreadCreationTime : 04-28-2005 15:30:06
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:27 [ad-aware.exe]
ModuleName : D:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "D:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 1704
ThreadCreationTime : 04-28-2005 15:30:32
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:28 [wuauclt.exe]
ModuleName : D:\WINDOWS\System32\wuauclt.exe
Command Line : "D:\WINDOWS\System32\wuauclt.exe" /RunStoreAsComServer Local\[358]SUSDS0ed86b132fe0d6488fc4962a934b91df
ProcessID : 1960
ThreadCreationTime : 04-28-2005 15:30:52
BasePriority : Normal
FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
ProductVersion : 5.4.3790.2182
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Scanning Hosts file......
Hosts file location:"D:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 0

18:43:37 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:12:35.875
Objects scanned:135320
Objects identified:0
Objects ignored:0
New critical objects:0

#2
Rawe

Posted 28 April 2005 - 10:08 AM

Visiting Staff

Member
4,746 posts

Hi again!

Please, run these online virusscans here;
- Panda Activescan
- Trend Micro
- F-secure

(ActiveScan and Trend Micro are recommended.)

First, remove/fix any problem Trend Micro & F-Secure's scans might find, post Panda's scan log in this topic, and reboot after this.

- Rawe :tazz:

We'll continue then.

#3
SSergey

Posted 28 April 2005 - 10:25 AM

Member

Topic Starter
Member
10 posts

I can't run panda scan - after choosing what to scan it writes me "error on page" :tazz:

#4
Rawe

Posted 28 April 2005 - 10:26 AM

Visiting Staff

Member
4,746 posts

Ok, did you try the other two scans?

- Rawe :tazz:

#5
Guest_Andy_veal_*

Posted 28 April 2005 - 10:36 AM

Guest

If not here are some more AV's.....

Panda

Symantec

McAfee

TrendMicro Recommended

F-secure

#6
SSergey

Posted 28 April 2005 - 10:52 AM

Member

Topic Starter
Member
10 posts

Ok, thank you very much. I will try this scaners and reply ASAP. :tazz:

#7
SSergey

Posted 28 April 2005 - 11:14 AM

Member

Topic Starter
Member
10 posts

Trade Micro didn't find any spyware or viruses... :tazz:

#8
Guest_Andy_veal_*

Posted 28 April 2005 - 11:16 AM

Guest

Are you still having problems?

#9
SSergey

Posted 28 April 2005 - 11:20 AM

Member

Topic Starter
Member
10 posts

Yep...

Still popusps, shortcuts and this stupid red icon with white cross on it... gr...

#10
Guest_Andy_veal_*

Posted 28 April 2005 - 11:22 AM

Guest

Please follow the instructions located in Step Five: Posting a Hijack This Log. Post your HJT log as a reply to this thread, which has been relocated to the Malware Removal Forum for providing you with further assistance.

Kindly note that it is very busy in the Malware Removal Forum, so there may be a delay in receiving a reply. Please also note that HJT logfiles are reviewed on a first come/first served basis.

#11
SSergey

Posted 28 April 2005 - 11:29 AM

Member

Topic Starter
Member
10 posts

As I understood I have to place the log here? (If I misuderstood you, sorry..)

Logfile of HijackThis v1.99.1
Scan saved at 20:28:23, on 04/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\SYSTEM32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~2.EXE
D:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lvagent.exe
D:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~2.EXE
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Sensiva\Sensiva.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~2.EXE
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\WINDOWS\system32\cisvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\cidaemon.exe
D:\Program Files\WinRAR\WinRAR.exe
D:\DOCUME~1\Sergej\LOCALS~1\Temp\Rar$EX00.688\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0237/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - D:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - D:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - D:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL
O3 - Toolbar: PROMT - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - D:\Program Files\PRMT6\PRMTIE\prmtie.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~2.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LingvoTraining] "D:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Tutor.exe" /ND /NW /AS
O4 - HKLM\..\Run: [Lingvo Launcher] "D:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lvagent.exe" /STARTUP
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [FreeRAM XP] "D:\Documents and Settings\Sergej\Local Settings\Temp\Temporary Directory 1 for frxpro11[1].zip\FreeRAM XP Pro 1.1.exe" -win
O4 - HKLM\..\Run: [DataLayer] D:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~2.EXE
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [Sensiva] "D:\Program Files\Sensiva\Sensiva.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: MSN Messenger 7.0.lnk = ?
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: AltaVista Search - file://D:\Program Files\ALTAVISTA Toolbar\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate - file://D:\Program Files\ALTAVISTA Toolbar\Cache\SelectedContextTranslation.htm
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate with Lingvo - res://D:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lingvo.exe/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - D:\Program Files\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: Lasaaannc - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - D:\Program Files\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - D:\Program Files\PRMT6\PRMTIE\options.htm
O9 - Extra 'Tools' menuitem: Kannsieza lasaaiaa - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - D:\Program Files\PRMT6\PRMTIE\options.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altav...ab?r=1114004817
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114006237078
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{75AD8AE1-FEF8-4461-ADBB-1E96A42FF6E1}: NameServer = 217.199.126.2,159.148.60.20
O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe

Edited by SSergey, 28 April 2005 - 11:31 AM.

#12
Guest_thatman_*

Posted 02 May 2005 - 02:39 AM

Guest

Hi SSergey

Are you running a multi-boot system.

Please read through the instructions before you start (you may want to print this out).

HijackThis is being run from a temporary folder; this means that any backups it creates as a result of fixes made with it will be lost. Please create a new folder for it and place the program into that new folder. I.E C:\HJT\HijackThis.exe

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0237/
Click on Fix Checked when finished and exit HijackThis.

Lets see if this will find any hidden Trojan’s http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Now run ewido

Please post the logs From ewido and HJT.log

Kc :tazz: