Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help me plss [RESOLVED]


  • This topic is locked This topic is locked

#1
Travex

Travex

    Member

  • Member
  • PipPip
  • 43 posts
I think theres a problem with my internet security

heres my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 2:49:00 PM, on 5/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://gameguard1.le...Crypt/npkcx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F2B1004-38E4-43AD-9D3A-57B11C7E8E75}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
  • 0

Advertisements


#2
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Why did you uninstall Service Pack 2?
  • 0

#3
Travex

Travex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
;) OMG!!

i have no idea that i did

plss i really need ur help now... :tazz:
  • 0

#4
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please download and apply Service Pack 1.

Click here: http://www.microsoft...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.
  • 0

#5
Travex

Travex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
service pack installed :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 11:34:17 PM, on 5/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {9F5F8043-C1DA-838E-06AA-BF32A5E98C65} - 34763.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gabber] control64.exe
O4 - HKLM\..\Run: [FLKPT] ___.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [prcmon] TorontoMail.exe
O4 - HKCU\..\Run: [ATLIEHELPER] utsgmon.exe
O4 - HKCU\..\Run: [sound64] TForm1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://gameguard1.le...Crypt/npkcx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F2B1004-38E4-43AD-9D3A-57B11C7E8E75}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
  • 0

#6
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Travex - is this a different computer from last time you were here? Because it's not showing Service Pack 1 on your log...
  • 0

#7
Travex

Travex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Yes this is a different PC ...
  • 0

#8
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ah, I see...

I need you to do this before I can help you:

*Please go http://www.howtotell.com(Microsoft website) using Internet Explorer ( not Firefox or any other browser as they won't work)
*Click on "Windows Validation Assistant"
*Click on the "Validate Now" button.
*Be patient while the ActiveX loads, do not click on any links.
*Read the instructions on this page while it's loading. You will be prompted to install - click YES.
*Enter your product key then click "continue"
*When it says "Validation Complete" please click "Continue to return to your previous activity"
*Highlight and Copy what it says and paste it here.

Edited by bananafanafo, 11 May 2005 - 10:17 AM.

  • 0

#9
Travex

Travex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
im sorry ittook so long....

i did what u said...

when i clicked YES after validation

this appeared in the window

Thank you for running the Windows Validation Assistant. It appears that your Windows Product Key is valid.

This is a strong indicator that your operating system is genuine, however the Windows Validation Assistant cannot make a final determination.

thats it..
  • 0

#10
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Did you reboot after applying the Service Pack 1 before posting a HiJackThis log?

Edited by bananafanafo, 14 May 2005 - 09:16 AM.

  • 0

Advertisements


#11
Travex

Travex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
i think i did...

but hir is another hijackthis log.. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 10:59:50 PM, on 5/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\dmsadmins.exe
C:\WINDOWS\System32\qwinnta.exe
C:\WINDOWS\System32\sesmgr.exe
C:\Program Files\Gravity\RagnarokOnline\nyahahha\start.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {9F5F8043-C1DA-838E-06AA-BF32A5E98C65} - 34763.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gabber] control64.exe
O4 - HKLM\..\Run: [FLKPT] ___.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [prcmon] TorontoMail.exe
O4 - HKCU\..\Run: [ATLIEHELPER] utsgmon.exe
O4 - HKCU\..\Run: [sound64] TForm1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://gameguard1.le...Crypt/npkcx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F2B1004-38E4-43AD-9D3A-57B11C7E8E75}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
  • 0

#12
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Go to Start > Run - type:

sfc /scannow

Click OK

*Make sure there is a space between sfc and /

Let it scan through. When it's done, post a new HiJackThis log.

Edited by bananafanafo, 15 May 2005 - 10:39 AM.

  • 0

#13
Travex

Travex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
;) :tazz: ;)

Logfile of HijackThis v1.99.1
Scan saved at 8:57:44 PM, on 5/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Gravity\RagnarokOnline\ragexe.exe
C:\WINDOWS\System32\dmsadmins.exe
C:\WINDOWS\System32\qwinnta.exe
C:\WINDOWS\System32\sesmgr.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {9F5F8043-C1DA-838E-06AA-BF32A5E98C65} - 34763.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gabber] control64.exe
O4 - HKLM\..\Run: [FLKPT] ___.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [prcmon] TorontoMail.exe
O4 - HKCU\..\Run: [ATLIEHELPER] utsgmon.exe
O4 - HKCU\..\Run: [sound64] TForm1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://gameguard1.le...Crypt/npkcx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F2B1004-38E4-43AD-9D3A-57B11C7E8E75}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
  • 0

#14
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
First, download, install, and run CleanUp! (so the scan won't take as long because cleanup will clear temporary files) *NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, backup it up or move it to a permanent folder prior to running Cleanup!

Please download ewido security suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.

Once the updates are installed do the following:
  • Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run Ewido.
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
Reboot into normal mode.

Then, please run this online virus scan:
ActiveScan

Save the results from ActiveScan.

I need you to post the log from Ewido, the log from ActiveScan and a new HiJackThis log.

We will let Ewido kill the files in finds, then we will kill the files ActiveScan finds, then we will remove everything from your log that doesn't need to be there. :tazz:
  • 0

#15
Travex

Travex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Logfile of HijackThis v1.99.1[/B]Scan saved at 10:32:27 AM, on 5/17/2005 :tazz:
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Gravity\RagnarokOnline\ragexe.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {9F5F8043-C1DA-838E-06AA-BF32A5E98C65} - 34763.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gabber] control64.exe
O4 - HKLM\..\Run: [FLKPT] ___.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [prcmon] TorontoMail.exe
O4 - HKCU\..\Run: [ATLIEHELPER] utsgmon.exe
O4 - HKCU\..\Run: [sound64] TForm1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://gameguard1.le...Crypt/npkcx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F2B1004-38E4-43AD-9D3A-57B11C7E8E75}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE

EwidoReport ;)
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:56:31 AM, 5/17/2005
+ Report-Checksum: 92D298F

+ Date of database: 5/17/2005
+ Version of scan engine: v3.0

+ Duration: 33 min
+ Scanned Files: 62920
+ Speed: 31.16 Files/Second
+ Infected files: 9
+ Removed files: 9
+ Files put in quarantine: 9
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\system32\dmsadmins.exe -> Spyware.Msnagent.a -> Cleaned with backup
C:\WINDOWS\system32\dumpsprep.exe -> TrojanDropper.Small.xl -> Cleaned with backup
C:\WINDOWS\system32\dxiesft.dll -> Spyware.DXiesft -> Cleaned with backup
C:\WINDOWS\system32\ie2cltr.dll -> Spyware.SBSoft.h -> Cleaned with backup
C:\WINDOWS\system32\ipdnssec6.exe -> Trojan.DNSChanger.k -> Cleaned with backup
C:\WINDOWS\system32\mqspbkup.exe -> TrojanDropper.Agent.jd -> Cleaned with backup
C:\WINDOWS\system32\qwinnta.exe -> Spyware.Agent.db -> Cleaned with backup
C:\WINDOWS\system32\sesmgr.exe -> Spyware.Small.fl -> Cleaned with backup
C:\WINDOWS\system32\spmnh.dll -> Spyware.Hijacker.Generic -> Cleaned with backup


::Report End

Active Scan report ;)

Incident Status Location

Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\AdultGambling.url
Adware:Adware/GloboSearch No disinfected C:\Program Files\WareOut
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\AdultGambling.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Free Online Dating.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\[bleep] Real Girls.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Kill Annoying Popups.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Online Sex Poker Rooms.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Play Adult-Poker.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Remove Toolbars.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\Spyware Uninstall.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Administrator\Favorites\XXX personal photos.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\AdultGambling.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Free Online Dating.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\[bleep] Real Girls.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Kill Annoying Popups.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Online Sex Poker Rooms.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Play Adult-Poker.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Remove Toolbars.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Spyware Uninstall.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\XXX personal photos.url
Spyware:Spyware/WareOut No disinfected C:\Program Files\WareOut\wocount.exe
Spyware:Spyware/WareOut No disinfected C:\WINDOWS\system32\minidrv.exe
Virus:Application/Restart No disinfected C:\WINDOWS\system32\Tools\Restart.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP