Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

ad1 [RESOLVED]

Started by polines , Jun 19 2005 06:27 PM

This topic is locked

#1
polines

Posted 19 June 2005 - 06:27 PM

New Member

Member
6 posts

Sorry, but I cant stand it. :tazz:

Pop-ups all the time
Thank you for your time.

Logfile of HijackThis v1.99.1
Scan saved at 2:12:10, on 20/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Archivos de programa\Home Cinema\PowerCinema\PCMService.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\mHotkey.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\ARCHIV~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Archivos de programa\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Juan Francés\Mis documentos\Archivos\&C_\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.warhammer.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Acceso directo a la página de propiedades de High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PCMService] "C:\Archivos de programa\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitezyv32.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Archivos de programa\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\ARCHIV~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - Startup: ASE Scheduler.lnk = C:\Archivos de programa\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpeedTouch 120g Wireless USB Monitor.lnk = C:\Archivos de programa\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097957893492
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{99A5C4B8-0F2E-42B5-8E0F-B3372DEEB2F3}: NameServer = 62.81.0.33,62.81.16.129
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\Archivos de programa\Aluria Security Center\ascserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\ARCHIV~1\COMMON~1\X10\Common\x10nets.exe (file missing)

#2
Guest_thatman_*

Posted 19 June 2005 - 06:35 PM

Guest

Hi polines

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitezyv32.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\ARCHIV~1\COMMON~1\X10\Common\x10nets.exe (file missing)
Click on Fix Checked when finished and exit HijackThis.

Run Ad-aware se let remove all it finds

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\windows\system32\elitezyv32.exe
Let the system reboot.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda, Ewido and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:

#3
polines

Posted 19 June 2005 - 08:10 PM

New Member

Topic Starter
Member
6 posts

You are VERy good!!!!!!
It has already stopped!
Logfile of HijackThis v1.99.1
Scan saved at 3:53:29, on 20/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Archivos de programa\Home Cinema\PowerCinema\PCMService.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\mHotkey.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\ARCHIV~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Archivos de programa\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Juan Francés\Mis documentos\Archivos\&C_\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.warhammer.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Acceso directo a la página de propiedades de High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PCMService] "C:\Archivos de programa\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Archivos de programa\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\ARCHIV~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - Startup: ASE Scheduler.lnk = C:\Archivos de programa\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpeedTouch 120g Wireless USB Monitor.lnk = C:\Archivos de programa\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097957893492
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{99A5C4B8-0F2E-42B5-8E0F-B3372DEEB2F3}: NameServer = 62.81.0.33,62.81.16.129
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\Archivos de programa\Aluria Security Center\ascserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\ARCHIV~1\COMMON~1\X10\Common\x10nets.exe (file missing)

Panda
Incidencia Estado Elemento

Adware:Adware/Ucmore No desinfectado C:\WINDOWS\ucmoreiex.exe
Spyware:Spyware/BargainBuddy No desinfectado C:\WINDOWS\msxct1.ini
Adware:Adware/EliteBar No desinfectado Registro de Windows
Adware:Adware/Weirdontheweb No desinfectado C:\WINDOWS\weirdontheweb_topc.exe
Spyware:Spyware/Dyfuca No desinfectado C:\Documents and Settings\Juan Francés\Internet Optimizer\update\optimize314.exe
Adware:Adware/Ucmore No desinfectado C:\Documents and Settings\Juan Francés\Menú Inicio\Programas\UCmore - The Search Accelerator\How To Uninstall.lnk
Adware:Adware/Ucmore No desinfectado C:\Documents and Settings\Juan Francés\Menú Inicio\Programas\UCmore - The Search Accelerator\UCmore Tour.lnk
Spyware:Spyware/BargainBuddy No desinfectado C:\WINDOWS\msxct1.ini
Adware:Adware/EliteBar No desinfectado C:\WINDOWS\system32\temperror32.dat
Adware:Adware/Ucmore No desinfectado C:\WINDOWS\ucmoreiex.exe
Adware:Adware/Weirdontheweb No desinfectado C:\WINDOWS\weirdontheweb_topc.exe

ewido security suite - Report de exploración
---------------------------------------------------------

+ Creado en: 3:52:53, 20/06/2005
+ Report-Checksum: F42EBBC7

+ Fecha de la base de datos: 19/06/2005
+ Versión del scanner: v3.0

+ Duración: 5 min
+ Archivos explorados: 41265
+ Velocidad: 122.55 Archivos/Segundo
+ Archivos infectados: 1
+ Archivos eliminados: 1
+ Archivos puestos en cuarentena: 1
+ Archivos que no se han podido abrir: 0
+ Archivos que no se han podido limpiar: 0

+ Carpeta: Si
+ Encriptar: Si
+ Archivos: Si

+ Items explorados:
C:\
D:\

+ Resultados de la exploración:
C:\WINDOWS\system32\temperror32.dat -> Spyware.Hijacker.Generic -> Limpio con backup

::Fin Report
Sorry some are in Spanish, Tell me if you need some tranlation
THANK YOU!

#4
Guest_thatman_*

Posted 19 June 2005 - 08:26 PM

Guest

Hi polines

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R3 - Default URLSearchHook is missing
Click on Fix Checked when finished and exit HijackThis.

Run Ad-aware se let remove all it finds

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINDOWS\ucmoreiex.exe
C:\WINDOWS\msxct1.ini
C:\WINDOWS\weirdontheweb_topc.exe
C:\Documents and Settings\Juan Francés\Internet Optimizer\update\optimize314.exe
C:\Documents and Settings\Juan Francés\Menú Inicio\Programas\UCmore - The Search Accelerator\UCmore Tour.lnk
C:\Documents and Settings\Juan Francés\Menú Inicio\Programas\UCmore - The Search Accelerator\How To Uninstall.lnk
C:\WINDOWS\msxct1.ini
C:\WINDOWS\system32\temperror32.dat
C:\WINDOWS\ucmoreiex.exe
C:\WINDOWS\weirdontheweb_topc.exe
Let the system reboot.

Use windows explorer delete the following folders:
C:\Documents and Settings\Juan Francés\Menú Inicio\Programas\UCmore - The Search Accelerator<--Delete the whole folder
C:\Documents and Settings\Juan Francés\Internet Optimizer\update<--Delete the whole folder

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda, Ewido and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:

#5
polines

Posted 20 June 2005 - 05:38 PM

New Member

Topic Starter
Member
6 posts

Well, there it is.

Incidencia Estado Elemento

Adware:Adware/EliteBar No desinfectado Registro de Windows
Adware:Adware/Ucmore No desinfectado C:\RECYCLER\S-1-5-21-1316953761-1317630905-3253397412-1007\Dc1\How To Uninstall.lnk
Adware:Adware/Ucmore No desinfectado C:\RECYCLER\S-1-5-21-1316953761-1317630905-3253397412-1007\Dc1\UCmore Tour.lnk

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 0:16:20, 21/06/2005
+ Report-Checksum: E9358B32

+ Date of database: 20/06/2005
+ Version of scan engine: v3.0

+ Duration: 4 min
+ Scanned Files: 41151
+ Speed: 141.92 Files/Second
+ Infected files: 0
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
No infected files found!

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 1:41:06, on 21/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Archivos de programa\Home Cinema\PowerCinema\PCMService.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\mHotkey.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Juan Francés\Mis documentos\Archivos\&C_\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.warhammer.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Acceso directo a la página de propiedades de High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PCMService] "C:\Archivos de programa\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Archivos de programa\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ASE Scheduler.lnk = C:\Archivos de programa\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpeedTouch 120g Wireless USB Monitor.lnk = C:\Archivos de programa\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097957893492
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{99A5C4B8-0F2E-42B5-8E0F-B3372DEEB2F3}: NameServer = 62.81.0.33,62.81.16.129
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\Archivos de programa\Aluria Security Center\ascserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\ARCHIV~1\COMMON~1\X10\Common\x10nets.exe (file missing)

#6
Guest_thatman_*

Posted 21 June 2005 - 09:32 AM

Guest

Hi polines

How is your system running now.

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Please download SpyBot V1.4 http://www.majorgeek...wnload2471.html Update the program then run it.

Important Step
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
X10 Device Network Service (x10nets)
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R3 - Default URLSearchHook is missing
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\ARCHIV~1\COMMON~1\X10\Common\x10nets.exe (file missing)
Click on Fix Checked when finished and exit HijackThis.

Run Ad-aware se let remove all it finds

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Reboot as normal

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda, Ewido and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:

#7
polines

Posted 23 June 2005 - 12:25 AM

New Member

Topic Starter
Member
6 posts

Thank you again!

ewido security suite - Report de exploración
---------------------------------------------------------

+ Creado en: 0:55:09, 23/06/2005
+ Report-Checksum: 6C85329C

+ Fecha de la base de datos: 20/06/2005
+ Versión del scanner: v3.0

+ Duración: 28 min
+ Archivos explorados: 41732
+ Velocidad: 24.43 Archivos/Segundo
+ Archivos infectados: 1
+ Archivos eliminados: 1
+ Archivos puestos en cuarentena: 1
+ Archivos que no se han podido abrir: 0
+ Archivos que no se han podido limpiar: 0

+ Carpeta: Si
+ Encriptar: Si
+ Archivos: Si

+ Items explorados:
C:\
D:\

+ Resultados de la exploración:
C:\Documents and Settings\Juan Francés\Cookies\juan francés@zedo[2].txt -> Spyware.Tracking-Cookie -> Limpio con backup

::Fin Report

Incidencia Estado Elemento

Spyware:Spyware/SurfSideKick No desinfectado Registro de Windows

Logfile of HijackThis v1.99.1
Scan saved at 0:59:04, on 23/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Juan Francés\Mis documentos\Archivos\&C_\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pccity.es/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Acceso directo a la página de propiedades de High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PCMService] "C:\Archivos de programa\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Archivos de programa\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpeedTouch 120g Wireless USB Monitor.lnk = C:\Archivos de programa\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1097957893492
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{99A5C4B8-0F2E-42B5-8E0F-B3372DEEB2F3}: NameServer = 62.81.0.33,62.81.16.129
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\Archivos de programa\Aluria Security Center\ascserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8
polines

Posted 23 June 2005 - 12:27 AM

New Member

Topic Starter
Member
6 posts

I couldnt do this
R3 - Default URLSearchHook is missing
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\ARCHIV~1\COMMON~1\X10\Common\x10nets.exe (file missing)
because these lines werent there!!

#9
Guest_thatman_*

Posted 23 June 2005 - 02:03 AM

Guest

Hi polines

Please download toolbarcop
Unzip and run the program look for a toolbar entry for SurfSideKick Delete if found.
http://windowsxp.mvp.../toolbarcop.htm

Kc :tazz:

#10
polines

Posted 23 June 2005 - 03:08 AM

New Member

Topic Starter
Member
6 posts

Not found, its workin great.
Thank you!

#11
Guest_thatman_*

Posted 23 June 2005 - 03:26 AM

Guest

Hi polines

Congratulations! Your system is CLEAN

Microsoft® Windows AntiSpyware (Beta) 2000 and XP ONLY.
Please download SpyBot V1.4 http://www.majorgeek...wnload2471.html
Spybot Tutorial
Disable Spybot Tutorial

Winpatrol Free

Ad-Aware SE Personal Edition Free
AdAware Tutorial

Turn of system restore
Disabling or enabling Windows XP System Restore
WIndows ME
Defrag your hard drive. Turn system restore back on and create a new restore point.

Tony Klien: So how did I get infected in the first place

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox.
http://www.mozilla.o...oducts/firefox/
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .
You can download Sun's newer JVM for Windows at http://java.sun.com/getjava/index.html.
http://www.java.com/...load/manual.jsp Windows (Offline Installation)

After doing all these, your system will be thoroughly protected from future threats.

Have a nice Day.

Kc :tazz:

#12
Guest_thatman_*

Posted 27 June 2005 - 08:57 AM

Guest

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.