This topic is lockedCompiled AutoIt Script
Third-party compiled AutoIt script. For details visit http://www.hiddensoft.com/AutoIt/
2.64.0.0
epsuninst.exe
e-PocketSetup Uninstaller
3.3.0.1
Copyright © 2002 Marcelo Bona Boff
I've never heard of it...
Hijack This Log [RESOLVED]
Started by
elliotc02
, May 30 2005 11:25 PM
#31
Posted 08 June 2005 - 07:51 PM
elliotc02
- Topic Starter
-
- Member
-
- 34 posts
Member
Compiled AutoIt Script
Third-party compiled AutoIt script. For details visit http://www.hiddensoft.com/AutoIt/
2.64.0.0
epsuninst.exe
e-PocketSetup Uninstaller
3.3.0.1
Copyright © 2002 Marcelo Bona Boff
I've never heard of it...
#32
Posted 08 June 2005 - 10:14 PM
Michelle
-
- Retired Staff
-
- 8,928 posts
Malware Removal Goddess
Does this sound familiar at all?
Software Publisher's Description
e-PocketSetup is the new generation of Windows/Windows NT, Windows CE devices and Palm OS devices setup generator. You have a full control of the setup program, creating your own setup dialogs, changing the setup actions, designing your background window. Version 3.6 adds support for Windows Mobile 2003 devices, including Pocket PC 2003.
It isn't malicious so it's nothing to worry about.
Let me see if I can find anything out about that other one.
Software Publisher's Description
e-PocketSetup is the new generation of Windows/Windows NT, Windows CE devices and Palm OS devices setup generator. You have a full control of the setup program, creating your own setup dialogs, changing the setup actions, designing your background window. Version 3.6 adds support for Windows Mobile 2003 devices, including Pocket PC 2003.
It isn't malicious so it's nothing to worry about.
Let me see if I can find anything out about that other one.
#33
Posted 08 June 2005 - 10:43 PM
elliotc02
- Topic Starter
-
- Member
-
- 34 posts
Member
Hmm...might have installed it a LONG time ago...I don't use it now that's for sure...I was wondering about the lsass.exe program crashing randomly...I forces a reset on my computer and it's super annoying!! Thanks again for your extensive help banana, I really appreciate it!
#34
Posted 08 June 2005 - 10:46 PM
Michelle
-
- Retired Staff
-
- 8,928 posts
Malware Removal Goddess
Post another HiJackThis log for me please.
We are going to remove optional items from startup, then we are going to use a registry cleaner to see if that helps anything.
We are going to remove optional items from startup, then we are going to use a registry cleaner to see if that helps anything.
#35
Posted 08 June 2005 - 11:01 PM
Michelle
-
- Retired Staff
-
- 8,928 posts
Malware Removal Goddess
Oops wrong topic 
Edited by bananafanafo, 08 June 2005 - 11:02 PM.
#36
Posted 08 June 2005 - 11:45 PM
Michelle
-
- Retired Staff
-
- 8,928 posts
Malware Removal Goddess
Ok, I have no clue what this browser.exe is so, this is what we're going to do:
Upload it to see if it appears to be a virus threat.
Go here:
http://www.kaspersky.com/scanforvirus
click the "browse" button, then locate C:\Windows\browser.exe and click submit. Let me know what it says.
Upload it to see if it appears to be a virus threat.
Go here:
http://www.kaspersky.com/scanforvirus
click the "browse" button, then locate C:\Windows\browser.exe and click submit. Let me know what it says.
Edited by bananafanafo, 08 June 2005 - 11:49 PM.
#37
Posted 09 June 2005 - 05:18 PM
elliotc02
- Topic Starter
-
- Member
-
- 34 posts
Member
You're clean!
Kaspersky Anti-Virus has not detected any viruses at this time in the file you submitted.
However, only a fully-functional antivirus solution with regularly updated virus definitions can ensure comprehensive protection against malware. If you do not have an antivirus solution installed, you may wish to consider purchasing one today.
* Download a trial version of Kaspersky Anti-Virus
* Purchase Kaspersky Anti-Virus in our E-Store
* Purchase Kaspersky Anti-Virus from a certified partner
Scanned file: browser.exe
browser.exe - OK
Kaspersky Anti-Virus has not detected any viruses at this time in the file you submitted.
However, only a fully-functional antivirus solution with regularly updated virus definitions can ensure comprehensive protection against malware. If you do not have an antivirus solution installed, you may wish to consider purchasing one today.
* Download a trial version of Kaspersky Anti-Virus
* Purchase Kaspersky Anti-Virus in our E-Store
* Purchase Kaspersky Anti-Virus from a certified partner
Scanned file: browser.exe
browser.exe - OK
#38
Posted 09 June 2005 - 06:20 PM
Michelle
-
- Retired Staff
-
- 8,928 posts
Malware Removal Goddess
Please post another HijackThis log please so we can remove optional items from startup.
#39
Posted 10 June 2005 - 04:54 AM
elliotc02
- Topic Starter
-
- Member
-
- 34 posts
Member
Logfile of HijackThis v1.99.1
Scan saved at 3:54:53 AM, on 6/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\wkssvc.exe
C:\WINDOWS\System32\ntsubsys.exe
C:\Program Files\PokerStars.NET\PokerStars.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ElliotChi\Desktop\HiJack\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [CASpeed] "C:\Program Files\Cable e ADSL Speed\NtwCA.exe" /HIDE
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBC Self Support Tool\SmartBridge\MotiveSB.exe
O4 - HKLM\..\Run: [TangoManager] C:\Program Files\Covad\Covad DSL\app\TangoManager.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [DiskCheck] "C:\WINDOWS\msdarkend.exe"
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\System32\ntsubsys.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Tweak-XP] C:\Program Files\Tweak-XP\Tweak-xp.exe -ex
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [BullguardoptIn] C:\WINDOWS\Temp\BullGuard\bulldownload.exe
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O4 - HKCU\..\RunOnce: [RunPalmPIL] "C:\Program Files\palmOne\pil.exe"
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://files.member....c/yinsthdlk.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Scan saved at 3:54:53 AM, on 6/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\wkssvc.exe
C:\WINDOWS\System32\ntsubsys.exe
C:\Program Files\PokerStars.NET\PokerStars.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ElliotChi\Desktop\HiJack\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [CASpeed] "C:\Program Files\Cable e ADSL Speed\NtwCA.exe" /HIDE
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBC Self Support Tool\SmartBridge\MotiveSB.exe
O4 - HKLM\..\Run: [TangoManager] C:\Program Files\Covad\Covad DSL\app\TangoManager.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [DiskCheck] "C:\WINDOWS\msdarkend.exe"
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\System32\ntsubsys.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Tweak-XP] C:\Program Files\Tweak-XP\Tweak-xp.exe -ex
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [BullguardoptIn] C:\WINDOWS\Temp\BullGuard\bulldownload.exe
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O4 - HKCU\..\RunOnce: [RunPalmPIL] "C:\Program Files\palmOne\pil.exe"
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://files.member....c/yinsthdlk.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
#40
Posted 10 June 2005 - 10:25 AM
Michelle
-
- Retired Staff
-
- 8,928 posts
Malware Removal Goddess
You are re-infected with the worm (slightly different version). Please try avoid surfing the internet as much possible while we're trying to get rid of it otherwise it will get worse.
* Run Killbox.exe.
* Select "Delete on Reboot".
* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C
C:\WINDOWS\wkssvc.exe
C:\WINDOWS\msdarkend.exe
C:\WINDOWS\System32\ntsubsys.exe
* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If your computer does not restart automatically, please restart it manually.
Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below service:
Workstation Service Library
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.
Run HiJackThis. Click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy and paste):
Microsoft Locator Service
Click ok.
It should pull up information about the service, when it asks if you want to reboot now click YES.
After reboot, run HiJackThis. Place a check next to the following items and click FIX CHECKED:
O4 - HKLM\..\Run: [DiskCheck] "C:\WINDOWS\msdarkend.exe"
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\System32\ntsubsys.exe
Post a new HiJackThis log.
* Run Killbox.exe.
* Select "Delete on Reboot".
* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C
C:\WINDOWS\wkssvc.exe
C:\WINDOWS\msdarkend.exe
C:\WINDOWS\System32\ntsubsys.exe
* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If your computer does not restart automatically, please restart it manually.
Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below service:
Workstation Service Library
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.
Run HiJackThis. Click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy and paste):
Microsoft Locator Service
Click ok.
It should pull up information about the service, when it asks if you want to reboot now click YES.
After reboot, run HiJackThis. Place a check next to the following items and click FIX CHECKED:
O4 - HKLM\..\Run: [DiskCheck] "C:\WINDOWS\msdarkend.exe"
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\System32\ntsubsys.exe
Post a new HiJackThis log.
#41
Posted 10 June 2005 - 12:43 PM
elliotc02
- Topic Starter
-
- Member
-
- 34 posts
Member
Logfile of HijackThis v1.99.1
Scan saved at 11:42:49 AM, on 6/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ElliotChi\Desktop\HiJack\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [CASpeed] "C:\Program Files\Cable e ADSL Speed\NtwCA.exe" /HIDE
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBC Self Support Tool\SmartBridge\MotiveSB.exe
O4 - HKLM\..\Run: [TangoManager] C:\Program Files\Covad\Covad DSL\app\TangoManager.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Tweak-XP] C:\Program Files\Tweak-XP\Tweak-xp.exe -ex
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [BullguardoptIn] C:\WINDOWS\Temp\BullGuard\bulldownload.exe
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O4 - HKCU\..\RunOnce: [RunPalmPIL] "C:\Program Files\palmOne\pil.exe"
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://files.member....c/yinsthdlk.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Scan saved at 11:42:49 AM, on 6/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ElliotChi\Desktop\HiJack\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [CASpeed] "C:\Program Files\Cable e ADSL Speed\NtwCA.exe" /HIDE
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBC Self Support Tool\SmartBridge\MotiveSB.exe
O4 - HKLM\..\Run: [TangoManager] C:\Program Files\Covad\Covad DSL\app\TangoManager.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Tweak-XP] C:\Program Files\Tweak-XP\Tweak-xp.exe -ex
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [BullguardoptIn] C:\WINDOWS\Temp\BullGuard\bulldownload.exe
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O4 - HKCU\..\RunOnce: [RunPalmPIL] "C:\Program Files\palmOne\pil.exe"
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://files.member....c/yinsthdlk.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
#42
Posted 10 June 2005 - 01:05 PM
Michelle
-
- Retired Staff
-
- 8,928 posts
Malware Removal Goddess
We need to do this again:
Please follow all instructions exactly as specified. I would advise printing them out so you're sure to follow all instructions.
Copy the below instructions (until you get to the purple text). Paste them into notepad and save it for use while in Safe Mode. This is important because it has to be done exactly in order for this to work
I need you to reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. use your up arrow key to highlight Safe Mode, then hit enter.
After getting into Safe Mode, Go to Start > Run type in:
cmd
Click OK.
A black window will open up.
Copy the below line, exactly, and paste it into the black window:
attrib -h -r -s C:\WINDOWS\system32\rdriv.sys
Hit Enter.
When it goes to the next line, copy the below line, exactly, and paste it into the black window:
del C:\WINDOWS\system32\rdriv.sys
Hit Enter.
Then type exit
[END OF INSTRUCTIONS TO COPY FOR SAFE MODE]
Reboot into normal mode.
RIGHT-CLICK HERE and Save As (in Internet Explorer, it's "Save Target As") in order to download the fixrdriv.reg file. Save it to your deskop.
Locate fixrdriv.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.
After the "merged successfully" prompt, please do the following:
* Download the Killbox by Option^Explicit.
* Save it to your desktop.
* Run Killbox.exe.
* Select "Delete on Reboot".
* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C
C:\WINDOWS\system32\rdriv.sys
C:\WINDOWS\ItunesMusic.exe
C:\WINDOWS\wkssvc.exe
* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the "PendingRenameOperation" prompt. If your computer does not restart automatically, please restart it manually.
While it's restarting, contiunally tap F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
In Safe Mode, Run CleanUp!
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
I need you to post the log from Ewido, and a new HiJackThis log into this topic.
Please follow all instructions exactly as specified. I would advise printing them out so you're sure to follow all instructions.
Copy the below instructions (until you get to the purple text). Paste them into notepad and save it for use while in Safe Mode. This is important because it has to be done exactly in order for this to work
I need you to reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. use your up arrow key to highlight Safe Mode, then hit enter.
After getting into Safe Mode, Go to Start > Run type in:
cmd
Click OK.
A black window will open up.
Copy the below line, exactly, and paste it into the black window:
attrib -h -r -s C:\WINDOWS\system32\rdriv.sys
Hit Enter.
When it goes to the next line, copy the below line, exactly, and paste it into the black window:
del C:\WINDOWS\system32\rdriv.sys
Hit Enter.
Then type exit
[END OF INSTRUCTIONS TO COPY FOR SAFE MODE]
Reboot into normal mode.
RIGHT-CLICK HERE and Save As (in Internet Explorer, it's "Save Target As") in order to download the fixrdriv.reg file. Save it to your deskop.
Locate fixrdriv.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.
After the "merged successfully" prompt, please do the following:
* Download the Killbox by Option^Explicit.
* Save it to your desktop.
* Run Killbox.exe.
* Select "Delete on Reboot".
* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C
C:\WINDOWS\system32\rdriv.sys
C:\WINDOWS\ItunesMusic.exe
C:\WINDOWS\wkssvc.exe
* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the "PendingRenameOperation" prompt. If your computer does not restart automatically, please restart it manually.
While it's restarting, contiunally tap F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
In Safe Mode, Run CleanUp!
- Still in Safe Mode...,
- Run Ewido.
- Click on scanner
- Make sure the following boxes are checked before scanning:
- Binder
- Crypter
- Archives
- Click on Start Scan
- Let the program scan the machine
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
- Click Save report
- Save the report to your desktop
I need you to post the log from Ewido, and a new HiJackThis log into this topic.
Edited by bananafanafo, 10 June 2005 - 01:33 PM.
#43
Posted 13 June 2005 - 04:24 AM
elliotc02
- Topic Starter
-
- Member
-
- 34 posts
Member
Strange thing is that I'm now automatically updating my computer with the XP auto updates...never used to do that before...Anyways, here ya go! Thanks a million!
Logfile of HijackThis v1.99.1
Scan saved at 3:23:16 AM, on 6/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\e9b0377463edd4b6480f6148a1f88bac\update\update.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ElliotChi\Desktop\HiJack\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [CASpeed] "C:\Program Files\Cable e ADSL Speed\NtwCA.exe" /HIDE
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBC Self Support Tool\SmartBridge\MotiveSB.exe
O4 - HKLM\..\Run: [TangoManager] C:\Program Files\Covad\Covad DSL\app\TangoManager.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Tweak-XP] C:\Program Files\Tweak-XP\Tweak-xp.exe -ex
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [BullguardoptIn] C:\WINDOWS\Temp\BullGuard\bulldownload.exe
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O4 - HKCU\..\RunOnce: [RunPalmPIL] "C:\Program Files\palmOne\pil.exe"
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://files.member....c/yinsthdlk.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Here's the ewido
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 3:18:28 AM, 6/13/2005
+ Report-Checksum: 7FC834F2
+ Date of database: 6/7/2005
+ Version of scan engine: v3.0
+ Duration: 46 min
+ Scanned Files: 71923
+ Speed: 25.83 Files/Second
+ Infected files: 38
+ Removed files: 38
+ Files put in quarantine: 38
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069543.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069544.DLL -> Spyware.ClearSearch.d -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069545.exe/re11.REG -> Trojan.LowZones.a -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069546.exe -> Spyware.WinFetcher.b -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069547.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069548.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069549.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069550.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069551.dll -> Trojan.Delf.cf -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069552.exe -> Spyware.Adtomi.e -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069553.dll -> Spyware.VirtualBouncer.d -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069554.scr -> TrojanDownloader.NSIS.gen -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069555.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069556.exe -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069557.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069558.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069559.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069560.exe -> Trojan.Delf.cf -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069561.exe -> Trojan.Delf.cf -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069562.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069563.exe -> Backdoor.Rbot -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069564.exe -> Spyware.WinFetcher.b -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069565.dll -> TrojanDownloader.Dyfuca.eg -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069566.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069578.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP303\A0070863.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP303\A0070868.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP303\A0070874.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP303\A0070880.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0070885.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0070893.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0071003.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0071013.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0072013.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0072015.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0072058.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0072070.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\WINDOWS\Temp\__delete_on_reboot__~168099.tmp -> Spyware.Wintol.p -> Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 3:23:16 AM, on 6/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\e9b0377463edd4b6480f6148a1f88bac\update\update.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ElliotChi\Desktop\HiJack\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [CASpeed] "C:\Program Files\Cable e ADSL Speed\NtwCA.exe" /HIDE
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBC Self Support Tool\SmartBridge\MotiveSB.exe
O4 - HKLM\..\Run: [TangoManager] C:\Program Files\Covad\Covad DSL\app\TangoManager.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Tweak-XP] C:\Program Files\Tweak-XP\Tweak-xp.exe -ex
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [BullguardoptIn] C:\WINDOWS\Temp\BullGuard\bulldownload.exe
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O4 - HKCU\..\RunOnce: [RunPalmPIL] "C:\Program Files\palmOne\pil.exe"
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://files.member....c/yinsthdlk.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Here's the ewido
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 3:18:28 AM, 6/13/2005
+ Report-Checksum: 7FC834F2
+ Date of database: 6/7/2005
+ Version of scan engine: v3.0
+ Duration: 46 min
+ Scanned Files: 71923
+ Speed: 25.83 Files/Second
+ Infected files: 38
+ Removed files: 38
+ Files put in quarantine: 38
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069543.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069544.DLL -> Spyware.ClearSearch.d -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069545.exe/re11.REG -> Trojan.LowZones.a -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069546.exe -> Spyware.WinFetcher.b -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069547.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069548.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069549.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069550.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069551.dll -> Trojan.Delf.cf -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069552.exe -> Spyware.Adtomi.e -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069553.dll -> Spyware.VirtualBouncer.d -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069554.scr -> TrojanDownloader.NSIS.gen -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069555.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069556.exe -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069557.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069558.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069559.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069560.exe -> Trojan.Delf.cf -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069561.exe -> Trojan.Delf.cf -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069562.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069563.exe -> Backdoor.Rbot -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069564.exe -> Spyware.WinFetcher.b -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069565.dll -> TrojanDownloader.Dyfuca.eg -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069566.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069578.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP303\A0070863.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP303\A0070868.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP303\A0070874.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP303\A0070880.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0070885.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0070893.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0071003.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0071013.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0072013.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0072015.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0072058.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0072070.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\WINDOWS\Temp\__delete_on_reboot__~168099.tmp -> Spyware.Wintol.p -> Cleaned with backup
::Report End
#44
Posted 13 June 2005 - 10:07 AM
Michelle
-
- Retired Staff
-
- 8,928 posts
Malware Removal Goddess
I have it set that way in the fixrdriv.reg you ran earlier.Strange thing is that I'm now automatically updating my computer with the XP auto updates...never used to do that before.
Are you having any other problems?
You NEED Service Pack 2 otherwise you will become infected with this worm again.
#45
Posted 13 June 2005 - 03:11 PM
elliotc02
- Topic Starter
-
- Member
-
- 34 posts
Member
The only problem I have left is that when I'm using my computer, it will randomly have an error that reads:
lsass.exe failed
I click ok and my computer restarts in 60 seconds...not sure what to do with that, but that's the only problem I have left!
lsass.exe failed
I click ok and my computer restarts in 60 seconds...not sure what to do with that, but that's the only problem I have left!
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
