Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Aurora and other such trouble

Started by Slave1 , Jun 09 2005 09:44 PM

Please log in to reply

#1
Slave1

Posted 09 June 2005 - 09:44 PM

New Member

Member
6 posts

Hello, I have run the recommended programs in an attempt to clean up my computer. I have Aurora and I’m certain I have other infections as well. Please review my HijackThis log and Ewido log and help me to fix these problems. Much appreciated.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:08:00 AM, 6/10/2005
+ Report-Checksum: 399F321E

+ Date of database: 6/9/2005
+ Version of scan engine: v3.0

+ Duration: 121 min
+ Scanned Files: 220916
+ Speed: 30.38 Files/Second
+ Infected files: 168
+ Removed files: 160
+ Files put in quarantine: 160
+ Files that could not be opened: 0
+ Files that could not be cleaned: 8

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
C:\

+ Scan result:
C:\Documents and Settings\Marc\My Documents\My Received Files\CRACK[1].CD-Warcraft_3_The_Frozen_Throne_by_FFF.zip/ylx.exe -> TrojanDownloader.INService.k -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\My Received Files\mytw3ful.zip/start.exe -> TrojanDownloader.Small.gl -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/1 -> Spyware.BiSpy.o -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/12 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/13 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/14 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/16 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/17 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/18 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/19 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/2 -> Not-A-Virus.Tool.HTPatch.a -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/200 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/202 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/204 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/206 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/208 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/21 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/210 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/212 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/214 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/216 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/218 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/22 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/220 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/222 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/224 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/226 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/228 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/23 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/230 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/24 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/25 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/26 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/27 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/29 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/3 -> Not-A-Virus.Tool.HTPatch.a -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/30 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/31 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/32 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/33 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/34 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/35 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/36 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/38 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/4 -> Spyware.BiSpy.o -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/40 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/41 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/42 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/43 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/45 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/46 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/48 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/5 -> Spyware.BiSpy.o -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/bdedownloader.dll -> Spyware.Altnet.b -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/dman25.dll -> Spyware.BrillianDigital -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/sysdetect.dll -> Spyware.BrilliantDigital.1007 -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/6 -> Not-A-Virus.Tool.HTPatch.a -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/7 -> Spyware.BiSpy.o -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/8 -> Spyware.Cydoor -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/9 -> Spyware.Cydoor -> Cleaned with backup
C:\Program Files\MyWay\myBar\1.bin\MY2NS.EXE -> Spyware.MyWay.b -> Cleaned with backup
C:\Program Files\MyWay\myBar\1.bin\MYWAYPLUGINPROXY.CLASS -> Spyware.MyWay -> Cleaned with backup
C:\Program Files\MyWay\myBar\1.bin\NPMYWAY.DLL -> Spyware.MyWay.e -> Cleaned with backup
C:\Program Files\SearchRelevant\SearchRelevant1.dll -> Spyware.Relevance -> Cleaned with backup
C:\WINDOWS\msxmidi.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system32\nfbmped.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\system32\qaics.exe -> Worm.SpyBot -> Cleaned with backup
C:\WINDOWS\tiubbwbzo.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\My Received Files\CRACK[1].CD-Warcraft_3_The_Frozen_Throne_by_FFF.zip/ylx.exe -> TrojanDownloader.INService.k -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\My Received Files\mytw3ful.zip/start.exe -> TrojanDownloader.Small.gl -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/1 -> Spyware.BiSpy.o -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/12 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/13 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/14 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/16 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/17 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/18 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/19 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/2 -> Not-A-Virus.Tool.HTPatch.a -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/200 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/202 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/204 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/206 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/208 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/21 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/210 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/212 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/214 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/216 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/218 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/22 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/220 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/222 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/224 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/226 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/228 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/download_me.exe -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/23 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/230 -> Worm.SpyBot -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/24 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/25 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/26 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/27 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/29 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/3 -> Not-A-Virus.Tool.HTPatch.a -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/30 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/31 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/32 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/33 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/34 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/35 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/36 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/38 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/4 -> Spyware.BiSpy.o -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/40 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/41 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/42 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/43 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/45 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/46 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/48 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/5 -> Spyware.BiSpy.o -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/bdedownloader.dll -> Spyware.Altnet.b -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/dman25.dll -> Spyware.BrillianDigital -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/sysdetect.dll -> Spyware.BrilliantDigital.1007 -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/6 -> Not-A-Virus.Tool.HTPatch.a -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/7 -> Spyware.BiSpy.o -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/8 -> Spyware.Cydoor -> Cleaned with backup
C:\Documents and Settings\Marc\My Documents\Spyware\XoftSpyBackup.zip/9 -> Spyware.Cydoor -> Cleaned with backup
C:\Program Files\MyWay\myBar\1.bin\MY2NS.EXE -> Spyware.MyWay.b -> Error during cleaning
C:\Program Files\MyWay\myBar\1.bin\MYWAYPLUGINPROXY.CLASS -> Spyware.MyWay -> Error during cleaning
C:\Program Files\MyWay\myBar\1.bin\NPMYWAY.DLL -> Spyware.MyWay.e -> Error during cleaning
C:\Program Files\SearchRelevant\SearchRelevant1.dll -> Spyware.Relevance -> Error during cleaning
C:\WINDOWS\msxmidi.exe -> Spyware.Hijacker.Generic -> Error during cleaning
C:\WINDOWS\system32\nfbmped.exe -> Trojan.Agent.cp -> Error during cleaning
C:\WINDOWS\system32\qaics.exe -> Worm.SpyBot -> Error during cleaning
C:\WINDOWS\tiubbwbzo.exe -> Spyware.BetterInternet -> Error during cleaning

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 1:23:27 PM, on 6/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\DVDRAMSV.EXE
C:\Program Files\VirusPrograms\security suite\ewidoctrl.exe
C:\Program Files\VirusPrograms\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Documents and Settings\Marc\My Documents\My Received Files\Virus programs\HijackThis\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\VirusPrograms\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SysSearch] REGEDIT.EXE -s C:/WINDOWS/pcsearch.reg
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...RdxIE601_fr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwn...m/cab/crack.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{C207C773-CFE6-4EFC-AA92-C54226739F06}: NameServer = 203.49.70.20 139.134.2.190
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\VirusPrograms\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\VirusPrograms\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

#2
insipid

Posted 16 June 2005 - 05:35 PM

Visiting Staff

Member
313 posts

I apologize for the delay getting to your log, the helpers here are very busy. If you are still having malware troubles, I will be glad to help. Due to the length of time passed, I need to see a new HijackThis Log.

Please post a new HJT log in this thread.

#3
Slave1

Posted 22 June 2005 - 12:30 AM

New Member

Topic Starter
Member
6 posts

Hi thanks for your help, I appreciate it, I was about to give up hope but I should have known better. Here is my new HJT log. I will be checking back much more often now.

Logfile of HijackThis v1.99.1
Scan saved at 4:22:03 PM, on 6/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\DVDRAMSV.EXE
C:\Program Files\VirusPrograms\security suite\ewidoctrl.exe
C:\Program Files\VirusPrograms\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Marc\My Documents\My Received Files\Virus programs\HijackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\VIRUSP~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SysSearch] REGEDIT.EXE -s C:/WINDOWS/pcsearch.reg
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...RdxIE601_fr.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensave.../sinstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwn...m/cab/crack.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{C207C773-CFE6-4EFC-AA92-C54226739F06}: NameServer = 203.49.70.20 139.134.2.190
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\VirusPrograms\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\VirusPrograms\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

#4
insipid

Posted 22 June 2005 - 11:37 PM

Visiting Staff

Member
313 posts

Slave1, your log indicates some problems, let's take care of them.

Please run both of these online virus scans: Trendmicro Housecall....Panda Active Scan

For Housecall, select the 'Autoclean' option. Please tell me of any files it can't clean.
For Panda, use the default settings and save the log it generates to post in your next reply.

Reboot, and rescan with HijackThis and place a checkmark next to the following entries:

R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SysSearch] REGEDIT.EXE -s C:/WINDOWS/pcsearch.reg
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...RdxIE601_fr.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwn...m/cab/crack.CAB

Now, close all windows including your browser and then click "Fix Checked" in Hijackthis.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Ebates_MoeMoneyMaker

Please delete these folders using Windows Explorer(if present):

C:\Program Files\Ebates_MoeMoneyMaker\

Please delete these files using Windows Explorer(if present):

C:/WINDOWS/pcsearch.reg

Next, clean out all the temporary files and cookies on your system. Go to Start > Run and enter: cleanmgr. Let it scan your system for files to remove. Check these three boxes and then press ok to remove: Temporary Files, Temporary Internet Files, Recycle Bin.

Reboot and post a new HijackThis log and the Panda ActiveScan report.

#5
Slave1

Posted 24 June 2005 - 02:42 AM

New Member

Topic Starter
Member
6 posts

Thank you Insipid for you clear direction and help. Below is the Panda scan report. Housecall had no problems cleaning what it found. I was unable to locate any Ebates_MoeMoneyMaker files or folders and the “pcsearch.reg” was not present either. There is also the latest HJT log.

Panda (sorry about the layout)

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/MyWay No disinfected C:\Program Files\MyWay
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Common Files\Totem Shared
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/AdLogix No disinfected Windows Registry
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\satmat.ini
Spyware:Spyware/Altnet No disinfected Windows Registry
Adware:Adware/TopSearch No disinfected C:\Program Files\kazaa\topsearch.dll
Adware:Adware/TopSearch No disinfected C:\Program Files\Kazaa\TopSearch.dll
Adware:Adware/BrilliantDigitalNo disinfected C:\Program Files\KaZaA Lite\bdcore.dll
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.ini
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\test.INF
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Adware:Adware/BTGrab No disinfected C:\WINDOWS\inf\btgrab.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\satmat.ini
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\system32\P2P Networking v123.cpl
Adware:Adware/Transponder No disinfected C:\WINDOWS\xrqkgee.exe

Logfile of HijackThis v1.99.1
Scan saved at 6:32:24 PM, on 6/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\DVDRAMSV.EXE
C:\Program Files\VirusPrograms\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Marc\My Documents\My Received Files\Virus programs\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\VIRUSP~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensave.../sinstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C207C773-CFE6-4EFC-AA92-C54226739F06}: NameServer = 203.49.70.20 139.134.2.190
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\VirusPrograms\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

#6
insipid

Posted 24 June 2005 - 07:37 PM

Visiting Staff

Member
313 posts

Slave1, that looks much better. You're not running Anti-virus or Firewall software, I strongly urge you to download and install AVG Free Edition and ZoneAlarm Firewall. Links to these excellent free programs can be found in my signature below.

You are using Kazaa. This is not technically malware by itself, but it installs malware in order to run properly and it opens the door for every other nasty program you can think of. I strongly recommend that you remove it. Read this article for alternatives that will provide some of the same function without the garbage: http://www.spywarein...m/articles/p2p/ If you opt to remove it, first use Add/Remove Program to remove it and any reference to Altnet and P2P Networking. Go to your control panel, then to add/remove programs...uninstall P2P networking...If/when asked whether you also want to remove Altnet components, say 'Yes'.
P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns. You may also want to run KazaaBegone....

Let's get rid of some of those bad files Panda found. Please locate and delete these files:

C:\Program Files\MyWay << Folder
C:\Program Files\Common Files\Totem Shared
C:\WINDOWS\alchem.??? (this will probably have strange symbols where the ??? is)
C:\WINDOWS\satmat.ini
C:\Program Files\kazaa\topsearch.dll
C:\Program Files\KaZaA Lite\bdcore.dll
C:\WINDOWS\alchem.ini
C:\WINDOWS\Downloaded Program Files\test.INF
C:\WINDOWS\inf\alchem.inf
C:\WINDOWS\inf\btgrab.inf
C:\WINDOWS\system32\P2P Networking v123.cpl
C:\WINDOWS\xrqkgee.exe

Reboot and post one more HijackThis log for review.

#7
Slave1

Posted 25 June 2005 - 02:33 AM

New Member

Topic Starter
Member
6 posts

Once again thank you insipid. I will shortly be downloading the Anti-virus and firewall programs you have suggested, not having such programs was foolish I know. I chose to remove Kazaa however it was not possible using Add/Remove as none of the references where there (Altnet or P2P or Kazaa). I ran KazaaBeGone and it seems to have worked well. I was also unable to find:
C:\WINDOWS\alchem (with the funny symbols) i did find
C:\WINDOWS\alchem.inf though
C:\WINDOWS\Downloaded Program Files\test.inf was the other one i could not find after having run KazaaBeGone.
Here is the new HJT log after reboot.

Logfile of HijackThis v1.99.1
Scan saved at 6:31:02 PM, on 6/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\DVDRAMSV.EXE
C:\Program Files\VirusPrograms\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Documents and Settings\Marc\My Documents\My Received Files\Virus programs\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\VIRUSP~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensave.../sinstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\VirusPrograms\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

#8
insipid

Posted 25 June 2005 - 09:19 AM

Visiting Staff

Member
313 posts

Your log is clean :tazz:

.

Windows System Restore can and does backup malware files which can then be reinstalled if you ever restore to a previous point. To prevent this, we need to purge your Restore points:

Go to Start->Control Panel->System, System Restore. Click "Turn off System Restore". That will erase all restore points. You will be prompted to reboot. When Windows restarts, immediately go back in and uncheck "Turn off System Restore" to re-enable it. Windows will automatically create a new restore point.

To reduce re-infection potential for malware in the future:

Please read Tony Klein's article: So how did I get infected in the first place?.

It is extremely important to keep Windows and Internet Explorer up-to-date. Please go to http://v5.windowsupd...t.aspx?ln=en-us regularly and install ALL critical updates.

It would be a good idea to install a firewall if you don't have one . Here are a few free ones:
Kerio Personal Firewall
Zone Alarm
Sygate Personal Firewall

I strongly recommend installing three free programs: SpywareBlaster, SpywareGuard, and IE/Spyad.

Use AdAware SE and Spybot S&D regularly to scan your system. Links to excellent tutorials on these programs are in my signature below.

Finally, I suggest downloading and trying Mozilla Firefox browser. Firefox is a free fully functional browser. It's much safer than Internet Explorer.

#9
Slave1

Posted 28 June 2005 - 08:52 AM

New Member

Topic Starter
Member
6 posts

Hey Insipid, thanks very much for all your help my computer seems to be running much...much better now. No pop-ups at all. I had forgotten what it was like.
However i still have some problems that i need help with for perhaps non Malware related issues. My Internet connection tends to drop out on occasion especially when i run MSN Messenger. I have run most of the internet fixes that i have come across though your help but that doesnt seem to have helped. I also am having this little annoyance with my keyboard where i seem to be able to type faster than it can register (make the words appear) and all my direction keys and delete key will not repeat if i hold it down even though just about every other key will. I also have a problem with using Winamp or any other media player and typing at the same time, if i do this everything really slows down. Its all got me beat, so if you could give me some help or point me in the right direction that would be awesome.
Once again thank you :tazz: