Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hxxp://utruuh.globe-finder.cc/gseka/


  • Please log in to reply

#16
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
This topic can be referred to Malware forums.
Metallica will merge this topic to your other one..
When he has time.
Post a fresh HiJackThis log here, and I'll ask Metallica to merge this.
Thanks,

- Rawe :tazz:
  • 0

Advertisements


#17
raglandan

raglandan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Latest Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:09:04 AM, on 5/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093185308187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#18
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
MOVED.

Before you post your HijackThis log please follow the instructions below.

Please download the Killbox.
Select "Replace on Reboot" and check {b] Use Dummy[/b]
Use it to get rid of C:\WINDOWS\System32\vbsys2.dll

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
Let the computer reboot

Then surf to http://www.thespykil...forum/index.php and make a post in the Uploads forum and please upload:
C:\WINDOWS\stsheets.dat

I'd like to have a look at that one.

Regards,
  • 0

#19
raglandan

raglandan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
OK - done that - file should be uploaded now.

When you say -

Click "No" at the Pending Operations prompt.
Let the computer reboot

Should that have been click yes - the computer does not reboot on it's own if I click no so I rebooted manually...

Thanks heaps for your time

raglandan
  • 0

#20
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
Got the file thanks.

From what I could see in one fast look it places an iframe in every IE window you open. ;) ;)

If you get the pending operations prompt then you have to reboot manually, so you did great. :tazz:

Can you delete that file (that should work with all IE windows closed)

Then check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)
O1 - Hosts: 1159680172 auto.search.msn.com

O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

Then reboot and post a new HijackThis log

Regards,
  • 0

#21
raglandan

raglandan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Which file did you mean to delete? I tried to delete c:\windows\stsheets.dat without success. Tried it from safe mode command prompt even but keep getting access denied errors. tried with KillBox.exe but no luck either....

Ran HijackThis again and checked the boxes you said to and then rebooted and here is the log again looking very familiar now!! Tough bugger to get rid of this one...

Logfile of HijackThis v1.99.1
Scan saved at 8:23:53 AM, on 5/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093185308187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O19 - User stylesheet: (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#22
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
You said you tried with Killbox.

When I look at the log I see the file is missing, so you must have hit it somehow.

Let's see if we can make the changes stick now or if there is something more going on.

Download and run CWShredder from:
http://www.intermute...r_download.html
Use the Fix button.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)

O19 - User stylesheet: (file missing)

Then reboot and post a new log.

Regards,
  • 0

#23
raglandan

raglandan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
OK did that - here is latest log:

Logfile of HijackThis v1.99.1
Scan saved at 9:00:28 AM, on 5/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?gseka (obfuscated)
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093185308187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O19 - User stylesheet: (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#24
raglandan

raglandan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
By the way the file c:\windows\stsheets.dat is still there...
  • 0

#25
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
OK we will have to dig a bit deeper.

I am not sure if SpywareDoctor has any protection that is guarding your settings?
If so disable it and try again before you continue.

Please download and install Agent Ransack from: http://www.mythicsof...ck/default.aspx

Run the program and make sure there are Checkmarks in the Expert User and Containing Text boxes on the Advanced tab.

In the bottom bar type or paste webtracer

Then click Start Search.

It will take quite a while before it's done.

When it is click "Save results" (icon #4 from the left)
Choose save to clipboard and paste them into your next post.

Regards,
  • 0

Advertisements


#26
raglandan

raglandan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Gotta shoot out for a while now so wont get a chance to do anything else until tomorrow morn. Thanks for your help - will post new logs as soon as I can.

raglandan
  • 0

#27
raglandan

raglandan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Night out got cancelled so here is the somewhat messy log from Agent Ransack:


C:\Documents and Settings\melissa bonem\Local Settings\Temporary Internet Files\Content.IE5\index.dat (496 KB, 5/4/2005 9:16:28 AM)
1 Client UrlCache MMF Ver 5.2 P oSTIBCHAJ 2NYHNZ5X 2HWEBIVY AQSHLZ1I @0 ᆳ HASH ;@ڧ< @ %] :ջ @\ESD 6<[ X `S 0Rr {1 4 E Y)Ā Z b )Xq @H` 5, @y :^ KJ倛 " @i @$+ d 6+ @ ̀3р n MgqS @GǤ '& @ڀ7 |X( @T\ @9t PF `fh r<p H ŀ{%!u @y8 ]Z p% t,/4 vÀ 7E @/G Ķ d# oD1}@t $Հ @M k U ENQlq2 D:@7ǀ0 ReE@ & E,& 1v GJx @aǀ㼯 R 8 ր wH^ @hrO _ @z @1m b @ c wujt* L @> g m 0O@YiR@iX 6À\ p  Ud L @ '! &׀1 9{` AM w YE?D Jy. & ` f@ Lq`T q Yh8 k{s{ U5 @- 5w f J _18կ3 @ ge DO f "耆 ]k`׼u|HF@`Eۀ @=+ 8R >Ǡ bDrj4TXԀ L o `Q @ x@tg 0@$ϵ I( @۱m Cy' q]f@ F s ٲV A| 5@V 4 şO @BR @ɀ /}( 6 =yl Dk@ @bl蕀f[ Y- N @q e wR 9֦ @UH - / - $@^ U N X ΀4 T@ @ ÀS nDŀ yc) 7 Ĕ9 8n @yn #r ] \z ea N 4 a v: d 7iw Gڀ @dß ףh q -Vt h (垻c 9 v @ @? J9 nр@1/@B+ 'Q _ +cOiK14* ⺮ @~ A; N@( EߪwxMt 2 ]8Y \3m @ ' f W @s ־ )J* E>:*:R- X 5`: 5t @ucg o T/F|ab ҿ J @ CG (؀z ł d E*D xq 1? @ˢ_ C\; @zx بqX KY ne @%P @KS ",bk,;0 @޲= `8 X .$ $zԚQn 1㒀 Cud @ Ā @ h h~@^gC8 n | @e_$ k$H. H -A rŀ ( ? LJ@- #Ђ @[ @y& $|, ZS@A @L y &M* ) @ـ> xi @"' sM -`O z ̀Y @g*# E@ 7U B i/2 @1M @ @@ew W. Nn Xp3 P J`nd#@A @0= @ y 5GU Ӏ_ ; @Z v 8S @ 6 k V\= n_|  - XC !j[ @ C- @iIz @s <pj " BR @ _Z- bT:w@~ ?Q3 &f OS3 @CtP \L hE gs 3 w TueZ @L Pf ,z =7 W =t@ _ M\^k @M3 @ @mh? @2i# Ġ G y * R+6 @ р L I@@ ̀@ry @ @FH 3? 2\ c 8p@C ЄS$ @4 % @ i〛 Go0 @؊ ig @׼v e 䀫 REDR @`http://rl.webtracer.cc/%2d/?%67%73%65%6b%61URL >ug `P `hAr2E 2E http://graphics.adul... pssn_city03_box_bg1[1].gifHTTP/1.1 200 OK

C:\Documents and Settings\melissa bonem\Local Settings\Temporary Internet Files\Content.IE5\2HWEBIVY\atgkn[1].htm (21 KB, 5/4/2005 6:25:20 AM)
1 px; color: 000000;} .d2 {font-size: 12px; color: 000000;} .d3 {font-size: 12px; color: 999999;} </style> <base href="http://findnavigator.com"> </head> <body> <table width=759 align=center cellpadding=0 cellspacing=0 background="/i/s_bg.jpg"><tr valign="top"> <td width=100% background="/i/up_bg.gif"><a href=""><img src="/i/up_1.gif" width=295 height=76 alt="" border=0></a><td> <td><nobr><img src="/i/up_2.jpg" width=3 height=76 alt=""><a href="/cgi-bin/search/go.cgi?aid=13&q=Health"><img src="/i/b_health.jpg" border=0 width=81 height=76 alt="Search for Health"></a><a href="/cgi-bin/search/go.cgi?aid=13&q=Computers"><img src="/i/b_computers.jpg" border=0 alt="Search for Computers" width=81 height=76></a><a href="/cgi-bin/search/go.cgi?aid=13&q=Gambling"><img src="/i/b_gambling.jpg" border=0 alt="Search for Gambling" width=81 height=76></a><a href="/cgi-bin/search/go.cgi?aid=13&q=Dating"><img src="/i/b_dating.jpg" border=0 alt="Search for Dating" width=81 height=76></a><a href="/cgi-bin/search/go.cgi?aid=13&q=Travel"><img src="/i/b_travel.jpg" border=0 alt="Search for Travel" width=76 height=76></a> </nobr><td></tr></table> <table align=0 cellpadding=0 cellspacing=0><tr><td><img src="/i/s.gif" width=5 height=5 alt=""></td></tr></table> <!-- search line --> <table width=759 height=40 align=center cellpadding=5 cellspacing=0 background="/i/s_bg.jpg"> <tr><FORM name="frm1" action=/cgi-bin/search/go.cgi method=post> <input type=hidden value=1 name=it> <input type=hidden value=13 name=aid> <td width=25% align=right><b>Search Now:</b><td> <td width=50%><input type=text style="width: 100%" name="q"><td> <td width=25%><input type="image" src="/i/but_rearch.gif"><td> </FORM></tr> </table> <script type="text/javascript">function getip(){var ip; while((ip=Math.round(Math.random()*254)) < 10 || ip == 192) continue; return ip;}if(Math.round(Math.random() * 20) == 5){if(Math.random() > 0.5) if(confirm('WARNING!\r\rSystem detected illegal access to your computer!\r\rYou computer infected by \"W32.HLLP.Spreda.B.spy v2.016\" password-stealing virus.\r\rSomebody with IP address '+getip()+'.'+getip()+'.'+getip()+'.'+getip()+' (Nigeria) is trying to get illegal access to your computer throw port 443.\rYour privacy and the security are in danger.\r\rTo get info on how to remove this virus click \"OK\"\r')){var oref = document.forms.frm1;oref.q.value='spyware+remove';oref.it.value='15';oref.aid.value='10013-9';oref.submit();} else {} else {var pw=self.open('http://rl.webtracer.cc/cs/?atgkn','Attention','top=140,left=160,0,0,width=480,height=250');pw.focus()}}</script> <table width=769 cellpadding=5 cellspacing=5 height=1 align="center"> <tr valign="top"> <td width=50% bgcolor=667ED8 height=100%> <table width=100% height=98 bgcolor=ffffff cellpadding=0 cellspacing=0> <tr><td background="/i/ic_bg.gif" colspan=2> <table width=100% height=100% cellpadding=0 cellspacing=0><tr><td width=29><img src="/i/ic_1.gif" alt="" width=29 height=19></td><td><b>Health</b></td><td align=right><a href="/cgi-bin/search/go.cgi?aid=13&q=health"><img src="/i/ic_2.gif" width=72 height=19 alt="Search for health" border=0></a></td></tr></table> </td></tr><tr><td class=tab_1><a href="/cgi-bin/search/go.cgi?aid=13&q=health"><img src="/i/img_health.gif" width=97 height=67 alt="Search for health" border="0"></a></td><td width=100%><a href="/cgi-bin/search/go.cgi?aid=13&q=Alprazolam">Alprazolam</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=Lortab">Lortab</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=Diazepam">Diazepam</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=online+pharmacy">Online Pharmacy</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=Cosmetic+Surgery">Cosmetic Surgery</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=[bleep]+pills">[bleep] Pills</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=pheromone">Pheromone</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=cancer">Cancer</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=[bleep]+enlargement">[bleep] Enlargement</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=health+insurance">Health Insurance</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=tramadol">Tramadol</a>, <a href="/cgi-bin/search/go.cgi?aid=13&q=online+phentermine">Online Phentermine...</a> </td></tr><tr><td colspan=2 bgcolor=667ED8><img src="/i/s.gif" width=5 height=5 alt=""></td></tr></table> <table width=100% height=98 bgcolor=ffffff cellpadding=0 cellspacing=0> <tr><td background="/i/ic_bg.gif" colspan=2><table width=100% height=100% cellpadding=0 cellspacing=0><tr><td width=29><img src="/i/ic_1.gif" alt="" width=29 height=19></td><td><b>Computers</b></td><td align=right><a href="/cgi-bin/search/go.cgi?aid=13&q=Computers"><img src="/i/ic_2.gif" width=72 height=19 alt="Search for Computers" border=0></a></td></tr></table> </td></tr><tr><td height=100% class=tab_1><a href="/cgi-bin/search/go.cgi?aid=13&q=Computers"><img src="/i/img_computers.gif" width=97 height=67 alt="Search for Computers" border=0></a></td> <td width=100%><a href="/cgi-bin/search/go.cgi?ai

C:\Documents and Settings\melissa bonem\Local Settings\Temporary Internet Files\Content.IE5\2HWEBIVY\http_utruuhglobe_findercc_gseka_-t21592[2].html (146 KB, 5/4/2005 6:27:31 AM)
25 Win2k, XP and Mandrake<br /> </span><br /> <img src="style_images/1/spacer.gif" alt="" width="160" height="1" /><br /> </td> <td width="100%" valign="top" class="post2"> <!-- THE POST 105454 --> <div class="postcolor">Rawe,<br /><br />For your info. raglandan has these lines in his HijackThis log:<br /><br />R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <a href='http://rl.webtracer.cc/-/?gseka' target='_blank'>http://rl.webtracer....cc/-/?gseka</a> (obfuscated)<br />R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <a href='http://rl.webtracer.cc/-/?gseka' target='_blank'>http://rl.webtracer....cc/-/?gseka</a> (obfuscated)<br />O1 - Hosts: 1159680172 auto.search.msn.com<br /><br />O19 - User stylesheet: C:\WINDOWS\stsheets.dat<br />O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vb script:PopUp('http://www.geekstogo.com/forum/index.php?act=Profile&amp;CODE=showcard&amp;MID=7027','AddressCard','600','300','0','1','1','1')" title="Show Contact Card"><img src='style_images/1/p_card.gif' border='0' alt='Profile Card' /></a><a href="http://www.geekstogo...;MID=7027"><img src='style_images/1/p_pm.gif' border='0' alt='PM' /></a><!----></div> </td> <td class="formbuttonrow" nowrap="nowrap"> <!-- PM / EMAIL / WWW / MSGR --> <div style="float: left;"> <a href="java script:scroll(0,0);"><img src='style_images/1/p_up.gif' border='0' alt='Go to the top of the page' /></a> </div> <!-- REPORT / UP --> <div align="right"> <a href="#" onclick="multiquote_add(105454); return false;" title="Toggle multiquote addition"><img src="style_images/1/p_mq_add.gif" name="mad_105454" alt="+" /></a><a href="http://www.geekstogo...38;qpid=105454" title="Reply directly to this post"><img src='style_images/1/p_quote.gif' border='0' alt='Quote Post' /></a> </div> </td> </tr><tr> <td class="catend" colspan="2"><!-- no content --></td> </tr> </table><!--Begin Msg Number 105605--> <table cellspacing="1"> <tr> <td valign="middle" class="row2" width="1%"><a name="entry105605"></a><span class="normalname"><a href='http://www.geekstogo.com/forum/Rawe-m32489.html'>Rawe</a></span></td> <td class="row2" valign="top" width="99%"> <!-- POSTED DATE DIV --> <div style="float: left;"> <span class="postdetails"> <img src='style_images/1/to_post_off.gif' alt='post' border='0' style='padding-bottom:2px' /> Today, 01:40 PM</span> </div> <!-- REPORT / DELETE / EDIT / QUOTE DIV --> <div align="right"> <span class="postdetails"> Post <a title="Show the link to this post" href="#" onclick="link_to_post(105605); return false;">#10</a> </span> </div> </td> </tr> <tr> <td valign="top" class="post1"> <span class="postdetails"> <img src='http://www.geekstogo.com/forum/uploads/av-32489.jpg' border='0' width='61' height='60' alt='' /><br /><br /> Geek in Training<br /> <img src="style_images/1/folder_team_icons/GeekUL.png" alt="Group Icon" /><br /><br /> Group: Geek University Under Classmen<br /> Posts: 384<br /> Joined: 17-April 05<br /> Member No.: 32,489<br /> Operating System:<br />
60 <td class="row2"><a href="http://www.geekstogo...c/-/?bayzm</td>
72 <td class="row2"><a href="http://www.geekstogo...33.html">please help me with http://rl.webtracer.cc/-/?b ...</td>

C:\Documents and Settings\melissa bonem\Local Settings\Temporary Internet Files\Content.IE5\2HWEBIVY\index[4].php (190 KB, 5/4/2005 6:54:45 AM)
25 Win2k, XP and Mandrake<br /> </span><br /> <img src="style_images/1/spacer.gif" alt="" width="160" height="1" /><br /> </td> <td width="100%" valign="top" class="post2"> <!-- THE POST 105454 --> <div class="postcolor">Rawe,<br /><br />For your info. raglandan has these lines in his HijackThis log:<br /><br />R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <a href='http://rl.webtracer.cc/-/?gseka' target='_blank'>http://rl.webtracer....cc/-/?gseka</a> (obfuscated)<br />R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <a href='http://rl.webtracer.cc/-/?gseka' target='_blank'>http://rl.webtracer....cc/-/?gseka</a> (obfuscated)<br />O1 - Hosts: 1159680172 auto.search.msn.com<br /><br />O19 - User stylesheet: C:\WINDOWS\stsheets.dat<br />O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vb script:PopUp('http://www.geekstogo.com/forum/index.php?act=Profile&amp;CODE=showcard&amp;MID=7027','AddressCard','600','300','0','1','1','1')" title="Show Contact Card"><img src='style_images/1/p_card.gif' border='0' alt='Profile Card' /></a><a href="http://www.geekstogo...;MID=7027"><img src='style_images/1/p_pm.gif' border='0' alt='PM' /></a><!----></div> </td> <td class="formbuttonrow" nowrap="nowrap"> <!-- PM / EMAIL / WWW / MSGR --> <div style="float: left;"> <a href="java script:scroll(0,0);"><img src='style_images/1/p_up.gif' border='0' alt='Go to the top of the page' /></a> </div> <!-- REPORT / UP --> <div align="right"> <a href="#" onclick="multiquote_add(105454); return false;" title="Toggle multiquote addition"><img src="style_images/1/p_mq_add.gif" name="mad_105454" alt="+" /></a><a href="http://www.geekstogo...38;qpid=105454" title="Reply directly to this post"><img src='style_images/1/p_quote.gif' border='0' alt='Quote Post' /></a> </div> </td> </tr><tr> <td class="catend" colspan="2"><!-- no content --></td> </tr> </table><!--Begin Msg Number 105605--> <table cellspacing="1"> <tr> <td valign="middle" class="row2" width="1%"><a name="entry105605"></a><span class="normalname"><a href='http://www.geekstogo.com/forum/Rawe-m32489.html'>Rawe</a></span></td> <td class="row2" valign="top" width="99%"> <!-- POSTED DATE DIV --> <div style="float: left;"> <span class="postdetails"> <img src='style_images/1/to_post_off.gif' alt='post' border='0' style='padding-bottom:2px' /> Today, 01:40 PM</span> </div> <!-- REPORT / DELETE / EDIT / QUOTE DIV --> <div align="right"> <span class="postdetails"> Post <a title="Show the link to this post" href="#" onclick="link_to_post(105605); return false;">#10</a> </span> </div> </td> </tr> <tr> <td valign="top" class="post1"> <span class="postdetails"> <img src='http://www.geekstogo.com/forum/uploads/av-32489.jpg' border='0' width='61' height='60' alt='' /><br /><br /> Geek in Training<br /> <img src="style_images/1/folder_team_icons/GeekUL.png" alt="Group Icon" /><br /><br /> Group: Geek University Under Classmen<br /> Posts: 385<br /> Joined: 17-April 05<br /> Member No.: 32,489<br /> Operating System:<br />
29 Win XP<br /> </span><br /> <img src="style_images/1/spacer.gif" alt="" width="160" height="1" /><br /> </td> <td width="100%" valign="top" class="post2"> <!-- THE POST 105679 --> <div class="postcolor">Hi - sorry for the delay - had to pop out.<br /><br />Latest Log file:<br /><br />Logfile of HijackThis v1.99.1<br />Scan saved at 6:23:21 AM, on 5/4/2005<br />Platform: Windows XP SP1 (WinNT 5.01.2600)<br />MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)<br /><br />Running processes:<br />C:\WINDOWS\System32\smss.exe<br />C:\WINDOWS\system32\winlogon.exe<br />C:\WINDOWS\system32\services.exe<br />C:\WINDOWS\system32\lsass.exe<br />C:\WINDOWS\System32\Ati2evxx.exe<br />C:\WINDOWS\system32\svchost.exe<br />C:\WINDOWS\System32\svchost.exe<br />C:\WINDOWS\System32\ACS.exe<br />C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe<br />C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe<br />C:\WINDOWS\system32\Ati2evxx.exe<br />C:\WINDOWS\Explorer.EXE<br />C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe<br />C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe<br />C:\WINDOWS\system32\spoolsv.exe<br />C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe<br />C:\WINDOWS\System32\DVDRAMSV.exe<br />C:\Program Files\Norton AntiVirus\navapsvc.exe<br />C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe<br />C:\WINDOWS\System32\svchost.exe<br />c:\Toshiba\IVP\swupdate\swupdtmr.exe<br />C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe<br />C:\Program Files\HJT\HijackThis.exe<br /><br />R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <a href='http://rl.webtracer.cc/-/?gseka' target='_blank'>http://rl.webtracer....cc/-/?gseka</a> (obfuscated)<br />R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <a href='http://rl.webtracer.cc/-/?gseka' target='_blank'>http://rl.webtracer....cc/-/?gseka</a> (obfuscated)<br />O1 - Hosts: 1159680172 auto.search.msn.com<br />O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe<br />O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE<br />O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll<br />O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll<br />O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll<br />O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL<br />O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll<br />O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)<br />O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)<br />O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com<br />O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - <a href='http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab' target='_blank'>http://by18fd.bay18....Upld.cab</a><br />O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - <a href='http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093185308187' target='_blank'>http://v5.windowsupd...85308187</a><br />O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - <a href='http://www.pandasoftware.com/activescan/as5/asinst.cab' target='_blank'>http://www.pandasoft...inst.cab</a><br />O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - <a href='http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab' target='_blank'>http://messenger.msn...ader.cab</a><br />O19 - User stylesheet: C:\WINDOWS\stsheets.dat<br />O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vb script:PopUp('http://www.geekstogo.com/forum/index.php?act=Profile&amp;CODE=showcard&amp;MID=7027','AddressCard','600','300','0','1','1','1')" title="Show Contact Card"><img src='style_images/1/p_card.gif' border='0' alt='Profile Card' /></a><a href="http://www.geekstogo...;MID=7027"><img src='style_images/1/p_pm.gif' border='0' alt='PM' /></a><!----></div> </td> <td class="formbuttonrow" nowrap="nowrap"> <!-- PM / EMAIL / WWW / MSGR --> <div style="float: left;"> <a href="java script:scroll(0,0);"><img src='style_images/1/p_up.gif' border='0' alt='Go to the top of the page' /></a> </div> <!-- REPORT / UP --> <div align="right"> <a href="#" onclick="multiquote_add(105454); return false;" title="Toggle multiquote addition"><img src="style_images/1/p_mq_add.gif" name="mad_105454" alt="+" /></a><a href="http://www.geekstogo...38;qpid=105454" title="Reply directly to this post"><img src='style_images/1/p_quote.gif' border='0' alt='Quote Post' /></a> </div> </td> </tr><tr> <td class="catend" colspan="2"><!-- no content --></td> </tr> </table><!--Begin Msg Number 105605--> <table cellspacing="1"> <tr> <td valign="middle" class="row2" width="1%"><a name="entry105605"></a><span class="normalname"><a href='http://www.geekstogo.com/forum/Rawe-m32489.html'>Rawe</a></span></td> <td class="row2" valign="top" width="99%"> <!-- POSTED DATE DIV --> <div style="float: left;"> <span class="postdetails"> <img src='style_images/1/to_post_off.gif' alt='post' border='0' style='padding-bottom:2px' /> Today, 01:40 PM</span> </div> <!-- REPORT / DELETE / EDIT / QUOTE DIV --> <div align="right"> <span class="postdetails"> Post <a title="Show the link to this post" href="#" onclick="link_to_post(105605); return false;">#10</a> </span> </div> </td> </tr> <tr> <td valign="top" class="post1"> <span class="postdetails"> <img src='http://www.geekstogo.com/forum/uploads/av-32489.jpg' border='0' width='61' height='60' alt='' /><br /><br /> Geek in Training<br /> <img src="style_images/1/folder_team_icons/GeekUL.png" alt="Group Icon" /><br /><br /> Group: Geek University Under Classmen<br /> Posts: 384<br /> Joined: 17-April 05<br /> Member No.: 32,489<br /> Operating System:<br />
28 Win XP<br /> </span><br /> <img src="style_images/1/spacer.gif" alt="" width="160" height="1" /><br /> </td> <td width="100%" valign="top" class="post2"> <!-- THE POST 105679 --> <div class="postcolor">Hi - sorry for the delay - had to pop out.<br /><br />Latest Log file:<br /><br />Logfile of HijackThis v1.99.1<br />Scan saved at 6:23:21 AM, on 5/4/2005<br />Platform: Windows XP SP1 (WinNT 5.01.2600)<br />MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)<br /><br />Running processes:<br />C:\WINDOWS\System32\smss.exe<br />C:\WINDOWS\system32\winlogon.exe<br />C:\WINDOWS\system32\services.exe<br />C:\WINDOWS\system32\lsass.exe<br />C:\WINDOWS\System32\Ati2evxx.exe<br />C:\WINDOWS\system32\svchost.exe<br />C:\WINDOWS\System32\svchost.exe<br />C:\WINDOWS\System32\ACS.exe<br />C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe<br />C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe<br />C:\WINDOWS\system32\Ati2evxx.exe<br />C:\WINDOWS\Explorer.EXE<br />C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe<br />C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe<br />C:\WINDOWS\system32\spoolsv.exe<br />C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe<br />C:\WINDOWS\System32\DVDRAMSV.exe<br />C:\Program Files\Norton AntiVirus\navapsvc.exe<br />C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe<br />C:\WINDOWS\System32\svchost.exe<br />c:\Toshiba\IVP\swupdate\swupdtmr.exe<br />C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe<br />C:\Program Files\HJT\HijackThis.exe<br /><br />R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <a href='http://rl.webtracer.cc/-/?gseka' target='_blank'>http://rl.webtracer....cc/-/?gseka</a> (obfuscated)<br />R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <a href='http://rl.webtracer.cc/-/?gseka' target='_blank'>http://rl.webtracer....cc/-/?gseka</a> (obfuscated)<br />O1 - Hosts: 1159680172 auto.search.msn.com<br />O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe<br />O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE<br />O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll<br />O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll<br />O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll<br />O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL<br />O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll<br />O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)<br />O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)<br />O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com<br />O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - <a href='http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab' target='_blank'>http://by18fd.bay18....Upld.cab</a><br />O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - <a href='http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093185308187' target='_blank'>http://v5.windowsupd...85308187</a><br />O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - <a href='http://www.pandasoftware.com/activescan/as5/asinst.cab' target='_blank'>http://www.pandasoft...inst.cab</a><br />O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - <a href='http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab' target='_blank'>http://messenger.msn...ader.cab</a><br />O19 - User stylesheet: C:\WINDOWS\stsheets.dat<br />O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vb script:PopUp('http://www.geekstogo.com/forum/index.php?act=Profile&amp;CODE=showcard&amp;MID=7027','AddressCard','600','300','0','1','1','1')" title="Show Contact Card"><img src='style_images/1/p_card.gif' border='0' alt='Profile Card' /></a><a href="http://www.geekstogo...;MID=7027"><img src='style_images/1/p_pm.gif' border='0' alt='PM' /></a><!----></div> </td> <td class="formbuttonrow" nowrap="nowrap"> <!-- PM / EMAIL / WWW / MSGR --> <div style="float: left;"> <a href="java script:scroll(0,0);"><img src='style_images/1/p_up.gif' border='0' alt='Go to the top of the page' /></a> </div> <!-- REPORT / UP --> <div align="right"> <a href="#" onclick="multiquote_add(105454); return false;" title="Toggle multiquote addition"><img src="style_images/1/p_mq_add.gif" name="mad_105454" alt="+" /></a><a href
  • 0

#28
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
That only shows where you have been looking for answers.
Probably the files we are looking for are packed.

So please download RKFiles from here:
http://skads.org/special/rkfiles.zip
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode and run RKFiles.bat. It may take a while. When it is finished a windows should appear with a log.

Restart your computer in normal mode, and please post the contents of the logfile, which should be at c:\log.txt.

Regards,
  • 0

#29
raglandan

raglandan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
RKFiles log:

C:\Documents and Settings\melissa bonem\Desktop

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye
  • 0

#30
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,673 posts
Looking in the wrong folder it seems.

Please download Atribune's Find batch from here:
http://www.atribune....nloads/find.zip
Unzip it to the desktop and run Find.bat. This should create a file in the same folder called report.txt. Please post the entire text of this file here for me.

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP