Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan Horse Infections Please Help Me[RESOLVED]


  • This topic is locked This topic is locked

#1
Corel

Corel

    New Member

  • Member
  • Pip
  • 9 posts
Hello,

I have been recommended to your site from a friend and I have looked over some of your forums. Others seem to be plagued by the same Trojan Horse virus' that I have and you have been able to help them.

I hope you will be able to do the same for me...this is a list of the virus' that are currently popping up:

Trojan Horse Startpage 19.J
Trojan Horse Downloader.Small.18.T
Trojan Horse Spyre.A (*this one is new and has only come up once so far)

I have also downloaded many of the programs and run them as you suggested in your start page but none have worked as of yet. I have downloaded HijackThis!! and do have a log page:

Logfile of HijackThis v1.99.1
Scan saved at 8:36:53 PM, on 5/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\System32\cmd32.exe
C:\WINDOWS\System32\winnook.exe
c:\windows\system32\ricwyhr.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9F44DE64-6C16-4086-AB10-67CB90189224} - C:\WINDOWS\System32\cmog.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\Run: [gokuvsr] c:\windows\system32\ricwyhr.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\winnook.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...k-ob-assets.cab
O16 - DPF: Checkers by pogo - http://game3.pogo.co...s-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag...g-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game3.pogo.co...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game5.pogo.co...r-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.co...l-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.co...w-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.co...n-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game3.pogo.co...w-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game5.pogo.co...l-ob-assets.cab
O16 - DPF: Pebble Beach Golf by pogo - http://game4.pogo.co...e-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game4.pogo.co...e-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.co...u-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.co...t-ob-assets.cab
O16 - DPF: Spades by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.co...m-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game5.pogo.co...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.co...pside_web18.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c139.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102971570984
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - http://hoylegames.si...cherControl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb10.pog...aploader_v6.cab
O18 - Filter: text/html - {3360DC61-0002-4328-95F0-8005B3C2DFA4} - C:\WINDOWS\System32\cmog.dll
O18 - Filter: text/plain - {3360DC61-0002-4328-95F0-8005B3C2DFA4} - C:\WINDOWS\System32\cmog.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


I hope that you can help me as I work and earn a living from home on my computer. I understand that all of your time is voluntary and I do appreciate any help anyone may be able to give me.

Thank you very much,

Corel Hart
Manteno, IL

P.S. I am not as computer literate as i probably should be, so please speak loudly and slowly. :tazz:

Edited by Corel, 27 May 2005 - 07:50 PM.

  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Corel and welcome to GTG.

We would be glad to help you. The instructions we provide should be very easy to follow. :tazz:

OK, can you give me the whole HijackThis log? You cut off the bottom part.
  • 0

#3
Corel

Corel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi there and thanks for the really fast reply...

I noticed that i cut off the bottom part and edited my first message so it should show up now.

Told ya i'm not that computer literate :tazz:
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
:tazz: You're doing great ;)

OK, you have multiple infections here. I will try to cover all of them at once. Take your time and follow through the instructions in the exact order listed here.

Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

Download CWShredder http://www.greyknigh.../CWShredder.exe

Right click a blank part of your desktop & select New->Folder. Call it SPFix. Go to http://www.derbilk.de/404.html and download SpSeHjfix. Get the one that's specified for your Operating System. So if you have Windows 98, get the one that's listed for Windows 98.

Disconnect from the net and close all programs. Run SpSeHjfix and click on 'Start Disinfection'. When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

Now run the CWShredder and hit the Fix button.


Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. Do NOT run it yet.

Please download nailfix at http://users.pandora...chy/nailfix.zip (for Windows XP) or http://users.pandora...y/nailfix2k.zip (for Windows 2000) Unzip it to the desktop but do NOT run it yet.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, please double-click on nailfix.cmd (or nailfix2k.bat if you have Windows 2000). Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next run a full scan in Ewido. Post the log from the Ewido scan here.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {9F44DE64-6C16-4086-AB10-67CB90189224} - C:\WINDOWS\System32\cmog.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\Run: [gokuvsr] c:\windows\system32\ricwyhr.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\winnook.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c139.cab
O18 - Filter: text/html - {3360DC61-0002-4328-95F0-8005B3C2DFA4} - C:\WINDOWS\System32\cmog.dll
O18 - Filter: text/plain - {3360DC61-0002-4328-95F0-8005B3C2DFA4} - C:\WINDOWS\System32\cmog.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


Close all open windows except for HijackThis and click Fix Checked.

I couldn't find much information on AntivirusGold, so I recommend uninstalling that program from the Add/Remove panel.

Delete these if found:

C:\WINDOWS\isrvs\
C:\WINDOWS\System32\cmd32.exe
C:\WINDOWS\System32\winnook.exe
c:\windows\system32\ricwyhr.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\System32\cmog.dll
C:\Program Files\AntivirusGold\
C:\WINDOWS\svcproc.exe


Restart your computer in normal mode and post a new HijackThis log, as well as the log from the Ewido scan. Also give me the SpSeHjfix log that you had earlier.

Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient ...
3. Then post the results here.
  • 0

#5
Corel

Corel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
OMIGOD!!! You are totally awesome....I relogged after doing all that stuff and i'm CURED!!

Here's the logs you asked for:

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 11:49:09 PM, on 5/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...k-ob-assets.cab
O16 - DPF: Checkers by pogo - http://game3.pogo.co...s-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag...g-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game3.pogo.co...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game5.pogo.co...r-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.co...l-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.co...w-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.co...n-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game3.pogo.co...w-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game5.pogo.co...l-ob-assets.cab
O16 - DPF: Pebble Beach Golf by pogo - http://game4.pogo.co...e-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game4.pogo.co...e-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.co...u-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.co...t-ob-assets.cab
O16 - DPF: Spades by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.co...m-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game5.pogo.co...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.co...pside_web18.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102971570984
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - http://hoylegames.si...cherControl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb10.pog...aploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

EWIDO:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:41:54 PM, 5/27/2005
+ Report-Checksum: 932BD9A3

+ Date of database: 5/28/2005
+ Version of scan engine: v3.0

+ Duration: 142 min
+ Scanned Files: 288354
+ Speed: 33.83 Files/Second
+ Infected files: 90
+ Removed files: 46
+ Files put in quarantine: 46
+ Files that could not be opened: 0
+ Files that could not be cleaned: 44

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
E:\
C:\
E:\

+ Scan result:
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Cookies\owner@a.websponsors[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Cookies\owner@perf.overture[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Cookies\owner@p[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Cookies\owner@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temp\B73320921\build3.exe -> Spyware.Isearch -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temp\ffmc.exe -> Trojan.TopAntiSpyware.l -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temp\gkph.exe -> Trojan.TopAntiSpyware.l -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temp\hcmc.exe -> Trojan.TopAntiSpyware.l -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temp\lahi.exe -> Trojan.TopAntiSpyware.l -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temp\negi.exe -> Trojan.TopAntiSpyware.l -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temp\nlal.exe -> Trojan.TopAntiSpyware.l -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temp\temp.fr412D -> Spyware.WinAD.ag -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temp\temp.fr514E -> Trojan.Agent.db -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temp\temp.frBAA5\MediaAccess.exe -> Spyware.WinAD.am -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temporary Internet Files\Content.IE5\4TIVK9AZ\Nail[1].exe -> Trojan.Nail -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temporary Internet Files\Content.IE5\4TIVK9AZ\Poller[1].exe -> Trojan.Agent.cp -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temporary Internet Files\Content.IE5\C1MRWXYR\aurora[1].exe -> Spyware.BetterInternet.c -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temporary Internet Files\Content.IE5\C1MRWXYR\desktop[2].exe -> TrojanDownloader.Small.awd -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temporary Internet Files\Content.IE5\C1MRWXYR\toolbar[1].exe -> Spyware.ISearch.d -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temporary Internet Files\Content.IE5\ISBCDEF7\svcproc[1].exe -> Trojan.Stervis.c -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temporary Internet Files\Content.IE5\WXABOP2R\DrPMon[1].dll -> Trojan.Agent.db -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temporary Internet Files\Content.IE5\WXABOP2R\on-line[1].exe -> TrojanDownloader.Small.aut -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll -> Spyware.Gator -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\WONWebLauncherControl.ocx -> Spyware.OTXMedia -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\YSBactivex.dll -> TrojanDownloader.IstBar -> Cleaned with backup
C:\WINDOWS\iGator\Trickler3103_PIC_fs_DMPT.exe -> Spyware.Gator.3103 -> Cleaned with backup
C:\WINDOWS\iLookup\TTIL.exe -> Spyware.EZula.a -> Cleaned with backup
C:\WINDOWS\isrvs\delprot.sys -> Trojan.Delprot.a -> Cleaned with backup
C:\WINDOWS\isrvs\desktop.exe -> Spyware.ISearch.d -> Cleaned with backup
C:\WINDOWS\isrvs\edmond.exe -> Trojan.Isearch -> Cleaned with backup
C:\WINDOWS\isrvs\ffisearch.exe -> Spyware.Isearch -> Cleaned with backup
C:\WINDOWS\isrvs\isearch.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Spyware.ISearch.e -> Cleaned with backup
C:\WINDOWS\isrvs\mfiltis.dll -> Spyware.ISearch.d -> Cleaned with backup
C:\WINDOWS\isrvs\msdbhk.dll -> Spyware.Isearch.a -> Cleaned with backup
C:\WINDOWS\isrvs\sysupd.dll -> TrojanDownloader.Ieser.a -> Cleaned with backup
C:\WINDOWS\NDNuninstall5_48.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\NDNuninstall6_30.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\rzkgzorttcr.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\drivers\delprot.sys -> Trojan.Delprot.a -> Cleaned with backup
C:\WINDOWS\system32\intronsad.exe -> Spyware.Delf.bz -> Cleaned with backup
C:\WINDOWS\system32\tierdn.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\winnook.exe -> Trojan.TopAntiSpyware.l -> Cleaned with backup
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Cookies\owner@a.websponsors[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Cookies\owner@perf.overture[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Cookies\owner@p[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Cookies\owner@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temp\B73320921\build3.exe -> Spyware.Isearch -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temp\ffmc.exe -> Trojan.TopAntiSpyware.l -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temp\gkph.exe -> Trojan.TopAntiSpyware.l -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temp\hcmc.exe -> Trojan.TopAntiSpyware.l -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temp\lahi.exe -> Trojan.TopAntiSpyware.l -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temp\negi.exe -> Trojan.TopAntiSpyware.l -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temp\nlal.exe -> Trojan.TopAntiSpyware.l -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temp\temp.fr412D -> Spyware.WinAD.ag -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temp\temp.fr514E -> Trojan.Agent.db -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temp\temp.frBAA5\MediaAccess.exe -> Spyware.WinAD.am -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temporary Internet Files\Content.IE5\4TIVK9AZ\Nail[1].exe -> Trojan.Nail -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temporary Internet Files\Content.IE5\4TIVK9AZ\Poller[1].exe -> Trojan.Agent.cp -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temporary Internet Files\Content.IE5\C1MRWXYR\aurora[1].exe -> Spyware.BetterInternet.c -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temporary Internet Files\Content.IE5\C1MRWXYR\desktop[2].exe -> TrojanDownloader.Small.awd -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temporary Internet Files\Content.IE5\C1MRWXYR\toolbar[1].exe -> Spyware.ISearch.d -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temporary Internet Files\Content.IE5\ISBCDEF7\svcproc[1].exe -> Trojan.Stervis.c -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temporary Internet Files\Content.IE5\WXABOP2R\DrPMon[1].dll -> Trojan.Agent.db -> Error during cleaning
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Local Settings\Temporary Internet Files\Content.IE5\WXABOP2R\on-line[1].exe -> TrojanDownloader.Small.aut -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll -> Spyware.Gator -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Spyware.Hijacker.Generic -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\WONWebLauncherControl.ocx -> Spyware.OTXMedia -> Error during cleaning
C:\WINDOWS\Downloaded Program Files\YSBactivex.dll -> TrojanDownloader.IstBar -> Error during cleaning
C:\WINDOWS\iGator\Trickler3103_PIC_fs_DMPT.exe -> Spyware.Gator.3103 -> Error during cleaning
C:\WINDOWS\iLookup\TTIL.exe -> Spyware.EZula.a -> Error during cleaning
C:\WINDOWS\isrvs\delprot.sys -> Trojan.Delprot.a -> Error during cleaning
C:\WINDOWS\isrvs\desktop.exe -> Spyware.ISearch.d -> Error during cleaning
C:\WINDOWS\isrvs\edmond.exe -> Trojan.Isearch -> Error during cleaning
C:\WINDOWS\isrvs\ffisearch.exe -> Spyware.Isearch -> Error during cleaning
C:\WINDOWS\isrvs\isearch.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Spyware.ISearch.e -> Cleaned with backup
C:\WINDOWS\isrvs\mfiltis.dll -> Spyware.ISearch.d -> Error during cleaning
C:\WINDOWS\isrvs\msdbhk.dll -> Spyware.Isearch.a -> Error during cleaning
C:\WINDOWS\isrvs\sysupd.dll -> TrojanDownloader.Ieser.a -> Error during cleaning
C:\WINDOWS\NDNuninstall5_48.exe -> Spyware.NewDotNet -> Error during cleaning
C:\WINDOWS\NDNuninstall6_30.exe -> Spyware.NewDotNet -> Error during cleaning
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet -> Error during cleaning
C:\WINDOWS\rzkgzorttcr.exe -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\system32\drivers\delprot.sys -> Trojan.Delprot.a -> Error during cleaning
C:\WINDOWS\system32\intronsad.exe -> Spyware.Delf.bz -> Error during cleaning
C:\WINDOWS\system32\tierdn.exe -> Trojan.Agent.cp -> Error during cleaning
C:\WINDOWS\system32\winnook.exe -> Trojan.TopAntiSpyware.l -> Error during cleaning


::Report End

SPSeHjFix:


(5/27/05 9:05:22 PM) SPSeHjFix started v1.1.2
(5/27/05 9:05:22 PM) OS: WinXP Service Pack 1 (5.1.2600)
(5/27/05 9:05:22 PM) Language: english
(5/27/05 9:05:22 PM) Win-Path: C:\WINDOWS
(5/27/05 9:05:22 PM) System-Path: C:\WINDOWS\System32
(5/27/05 9:05:22 PM) Temp-Path: C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\
(5/27/05 9:05:25 PM) Disinfection started
(5/27/05 9:05:25 PM) Bad-Dll(IEP): c:\docume~1\owner~1.you\locals~1\temp\se.dll
(5/27/05 9:05:25 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\cmog.dll
(5/27/05 9:05:25 PM) Searchassistant Uninstaller - Keys Deleted
(5/27/05 9:05:25 PM) UBF: 9 - UBB: 3 - UBR: 28
(5/27/05 9:05:25 PM) FilterKey: HKCR\text/html (deleted)
(5/27/05 9:05:25 PM) FilterKey: HKCR\CLSID\{3360DC61-0002-4328-95F0-8005B3C2DFA4} (deleted)
(5/27/05 9:05:25 PM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(5/27/05 9:05:25 PM) FilterKey: HKCR\text/plain (deleted)
(5/27/05 9:05:25 PM) FilterKey: HKCR\CLSID\{3360DC61-0002-4328-95F0-8005B3C2DFA4} (error while deleting)
(5/27/05 9:05:25 PM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(5/27/05 9:05:25 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9F44DE64-6C16-4086-AB10-67CB90189224} (deleted)
(5/27/05 9:05:25 PM) BHO-Key: HKCR\CLSID\{9F44DE64-6C16-4086-AB10-67CB90189224} (deleted)
(5/27/05 9:05:25 PM) UBF: 7 - UBB: 2 - UBR: 28
(5/27/05 9:05:25 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\owner~1.you\locals~1\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\owner~1.you\locals~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(5/27/05 9:05:25 PM) Stealth-String not found
(5/27/05 9:05:25 PM) File added to delete: c:\windows\system32\cmog.dll
(5/27/05 9:05:25 PM) Reboot


(5/27/05 9:06:49 PM) SPSeHjFix started v1.1.2
(5/27/05 9:06:49 PM) OS: WinXP Service Pack 1 (5.1.2600)
(5/27/05 9:06:49 PM) Language: english
(5/27/05 9:06:49 PM) Win-Path: C:\WINDOWS
(5/27/05 9:06:49 PM) System-Path: C:\WINDOWS\System32
(5/27/05 9:06:49 PM) Temp-Path: C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\


Thanks so much for your help and I swear that as soon as I have a few pennies to rub together i'm sending a donation.

I do have one last question. What can I uninstall of everything that i just installed? I won't do anything until I have your OK.

Corel :tazz:
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Where's the FindIt's log? Just need to have a quick look at that log and you should be good to go if it doesn't show anything bad.

Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

To answer your question, you may uninstall Ewido if you don't want it. Ewido will not cause any conflicts with AVG according to their site. You may delete CWShredder and SpSeHjFix.

So just post me that FindIt's log and I'll take a quick look at it.
  • 0

#7
Corel

Corel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Oh yeah I did forget about that. I went to the site that you gave me to DL Findit and it didn't work.

It took me to a page that said it didn't exist.
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hmm, must have been down intermittently. Another user reported the same thing. Well, I checked it just now again and it works.

Try to download it again. Just need a quick look at that log. But any problems so far?
  • 0

#9
Corel

Corel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
No problems that I can see...thanks to you :tazz:

I'll go back to that site and get you the log real quick.
  • 0

#10
Corel

Corel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I'm having problems running this find it thing. When i unzip to a folder i get three different things...

Find It's MS-DOS Batch File
XFIND MS-DOS Application
WINREG

I tried to run the batch file and i get this message:

16 bit MS-DOS Subsystem:

C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the applictation.

Then i have Close or Ignore to choose from.
  • 0

Advertisements


#11
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Do this:

copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running FindIt's.
  • 0

#12
Corel

Corel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Okay, that appeared to work... here's the log:


Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 05/31/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\CMD32.EXE
* UPX! C:\WINDOWS\TSC.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\System32\SHAGEN~1.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

* SAHAgent C:\WINDOWS\System32\70TOVMTO.INI
* SAHAgent C:\WINDOWS\System32\BLN02NQV.INI
* SAHAgent C:\WINDOWS\System32\GAH95ON6.INI
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C is PRESARIO
Volume Serial Number is A88F-30AB

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C is PRESARIO
Volume Serial Number is A88F-30AB

Directory of C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».

HKEY_CURRENT_USER\Software\ceres\CSI4d3OfSDist
HKEY_CLASSES_ROOT\mfiltis\Date
HKEY_CLASSES_ROOT\mfiltis\Excl
HKEY_CLASSES_ROOT\mfiltis\Sites
  • 0

#13
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_CURRENT_USER\Software\ and delete ceres
HKEY_CLASSES_ROOT\ and delete mfiltis

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINDOWS\System32\CMD32.EXE
C:\WINDOWS\System32\SHAGEN~1.DLL
C:\WINDOWS\System32\70TOVMTO.INI
C:\WINDOWS\System32\BLN02NQV.INI
C:\WINDOWS\System32\GAH95ON6.INI

Restart and post a new HijackThis and FindIt's log.
  • 0

#14
Corel

Corel

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok here's those logs:

Findit:


Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 06/01/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\TSC.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C is PRESARIO
Volume Serial Number is A88F-30AB

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C is PRESARIO
Volume Serial Number is A88F-30AB

Directory of C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».


HJT:

Logfile of HijackThis v1.99.1
Scan saved at 10:12:23 AM, on 6/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Documents and Settings\Owner.YOUR-KYBTG65GXE\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...k-ob-assets.cab
O16 - DPF: Checkers by pogo - http://game3.pogo.co...s-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag...g-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game3.pogo.co...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game5.pogo.co...r-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.co...l-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.co...w-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.co...n-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game3.pogo.co...w-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game5.pogo.co...l-ob-assets.cab
O16 - DPF: Pebble Beach Golf by pogo - http://game4.pogo.co...e-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game4.pogo.co...e-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.co...u-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.co...2-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.co...t-ob-assets.cab
O16 - DPF: Spades by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.co...m-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game5.pogo.co...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game4.pogo.co...s-ob-assets.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.s...og/y/ks12_x.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.co...pside_web18.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102971570984
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - http://hoylegames.si...cherControl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb10.pog...aploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

Thanks again for all your help.
  • 0

#15
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP