Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Spysheriff...help [RESOLVED]

Started by _Jen , Jun 19 2005 11:34 PM

  • This topic is locked This topic is locked

#1
_Jen
Posted 19 June 2005 - 11:34 PM

_Jen

    New Member

  • Member
  • Pip
  • 5 posts
Spysheriff got onto my computer, I've tried uninstalling it and running adaware and spybot but it just comes back when i reboot...any help would be great.

Here is my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 10:29:39 PM, on 6/19/2005
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\CTSvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINNT\loadqm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\wscsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\??rvices.exe
C:\Program Files\stha\erei.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0952164D-FFDB-8601-A5C8-876DA647B2BC} - C:\WINNT\System32\hta.dll
O2 - BHO: (no name) - {095DB814-1EA0-45AC-8282-996F63C41DA7} - C:\WINNT\System32\mnk.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7A521639-FFA8-F101-A5C1-F66DA545B2BC} - C:\WINNT\System32\hta.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [wscsvc.exe] C:\WINNT\wscsvc.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINNT\System32\ntddetect.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Eps] C:\WINNT\Oll.exe
O4 - HKLM\..\Run: [Vle] C:\WINNT\Iam.exe
O4 - HKLM\..\Run: [Ogl] C:\WINNT\Tog.exe
O4 - HKLM\..\Run: [Eso] C:\WINNT\Cne.exe
O4 - HKLM\..\Run: [Tpe] C:\WINNT\Vcj.exe
O4 - HKLM\..\Run: [Nqu] C:\WINNT\System32\Tsj.exe
O4 - HKLM\..\Run: [Klt] C:\WINNT\Div.exe
O4 - HKLM\..\Run: [Cnq] C:\WINNT\System32\Mov.exe
O4 - HKLM\..\Run: [Fbq] C:\WINNT\System32\Hne.exe
O4 - HKLM\..\Run: [Ghh] C:\WINNT\System32\Jlo.exe
O4 - HKLM\..\Run: [Ibf] C:\WINNT\Kih.exe
O4 - HKLM\..\Run: [Tlj] C:\WINNT\Lhl.exe
O4 - HKLM\..\Run: [Onl] C:\WINNT\Kpb.exe
O4 - HKLM\..\Run: [Qnl] C:\WINNT\System32\Bui.exe
O4 - HKLM\..\Run: [Ipc] C:\WINNT\System32\Cdm.exe
O4 - HKLM\..\Run: [Jvg] C:\WINNT\System32\Qfb.exe
O4 - HKLM\..\Run: [Oer] C:\WINNT\System32\Upq.exe
O4 - HKLM\..\Run: [Uhg] C:\WINNT\Dml.exe
O4 - HKLM\..\Run: [Eqa] C:\WINNT\Mth.exe
O4 - HKLM\..\Run: [Rdf] C:\WINNT\System32\Mtu.exe
O4 - HKLM\..\Run: [Joj] C:\WINNT\System32\Nkn.exe
O4 - HKLM\..\Run: [Fto] C:\WINNT\Nom.exe
O4 - HKLM\..\Run: [Oha] C:\WINNT\Mtt.exe
O4 - HKLM\..\Run: [Inv] C:\WINNT\Hkm.exe
O4 - HKLM\..\Run: [Uvl] C:\WINNT\System32\Dmp.exe
O4 - HKLM\..\Run: [Keo] C:\WINNT\System32\Qve.exe
O4 - HKLM\..\Run: [Qmb] C:\WINNT\Bpi.exe
O4 - HKLM\..\Run: [Ntq] C:\WINNT\Avc.exe
O4 - HKLM\..\Run: [Fta] C:\WINNT\Klp.exe
O4 - HKLM\..\Run: [Acd] C:\WINNT\Veh.exe
O4 - HKLM\..\Run: [Rfh] C:\WINNT\Bci.exe
O4 - HKLM\..\Run: [Bci] C:\WINNT\System32\Eoj.exe
O4 - HKLM\..\Run: [Eqc] C:\WINNT\Vlm.exe
O4 - HKLM\..\Run: [Thv] C:\WINNT\Sis.exe
O4 - HKLM\..\Run: [Kfp] C:\WINNT\Sbs.exe
O4 - HKLM\..\Run: [Ioa] C:\WINNT\Epq.exe
O4 - HKLM\..\Run: [Sto] C:\WINNT\Bkn.exe
O4 - HKLM\..\Run: [Dae] C:\WINNT\System32\Hnj.exe
O4 - HKLM\..\Run: [Bka] C:\WINNT\Fhu.exe
O4 - HKLM\..\Run: [Boa] C:\WINNT\Vhp.exe
O4 - HKLM\..\Run: [Obd] C:\WINNT\Oqi.exe
O4 - HKLM\..\Run: [Ajr] C:\WINNT\Uoi.exe
O4 - HKLM\..\Run: [Mel] C:\WINNT\System32\Rdb.exe
O4 - HKLM\..\Run: [Jjb] C:\WINNT\Ksk.exe
O4 - HKLM\..\Run: [Ifs] C:\WINNT\System32\Rps.exe
O4 - HKLM\..\Run: [Fib] C:\WINNT\But.exe
O4 - HKLM\..\Run: [Nto] C:\WINNT\System32\Stg.exe
O4 - HKLM\..\Run: [Ugn] C:\WINNT\Fav.exe
O4 - HKLM\..\Run: [Gmq] C:\WINNT\System32\Foq.exe
O4 - HKLM\..\Run: [Cng] C:\WINNT\System32\Gun.exe
O4 - HKLM\..\Run: [Euo] C:\WINNT\Npu.exe
O4 - HKLM\..\Run: [Lbr] C:\WINNT\System32\Tkv.exe
O4 - HKLM\..\Run: [Tnq] C:\WINNT\System32\Eqb.exe
O4 - HKLM\..\Run: [Atp] C:\WINNT\System32\Fss.exe
O4 - HKLM\..\Run: [Qkr] C:\WINNT\Mvn.exe
O4 - HKLM\..\Run: [Boe] C:\WINNT\System32\Cgk.exe
O4 - HKLM\..\Run: [Kgn] C:\WINNT\System32\Ogn.exe
O4 - HKLM\..\Run: [Kcf] C:\WINNT\System32\Nhu.exe
O4 - HKLM\..\Run: [Dcc] C:\WINNT\System32\Vpl.exe
O4 - HKLM\..\Run: [Tck] C:\WINNT\Fok.exe
O4 - HKLM\..\Run: [Uqt] C:\WINNT\Kic.exe
O4 - HKLM\..\Run: [Jvl] C:\WINNT\System32\Lof.exe
O4 - HKLM\..\Run: [Mfh] C:\WINNT\System32\Hii.exe
O4 - HKLM\..\Run: [Fdi] C:\WINNT\System32\Svm.exe
O4 - HKLM\..\Run: [Dtd] C:\WINNT\Vsd.exe
O4 - HKLM\..\Run: [Fqm] C:\WINNT\System32\Pat.exe
O4 - HKLM\..\Run: [Lbu] C:\WINNT\System32\Jpe.exe
O4 - HKLM\..\Run: [Glm] C:\WINNT\System32\Ujq.exe
O4 - HKLM\..\Run: [Clk] C:\WINNT\Qeb.exe
O4 - HKLM\..\Run: [Deh] C:\WINNT\Hhb.exe
O4 - HKLM\..\Run: [Dnl] C:\WINNT\System32\Ieh.exe
O4 - HKLM\..\Run: [Ris] C:\WINNT\Fth.exe
O4 - HKLM\..\Run: [Pfl] C:\WINNT\System32\Hnm.exe
O4 - HKLM\..\Run: [Moi] C:\WINNT\System32\Dgs.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINNT\System32\ntddetect.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [d0qpRXH4l] chkelib.exe
O4 - HKCU\..\Run: [Eps] C:\WINNT\Oll.exe
O4 - HKCU\..\Run: [Vle] C:\WINNT\Iam.exe
O4 - HKCU\..\Run: [Ogl] C:\WINNT\Tog.exe
O4 - HKCU\..\Run: [Eso] C:\WINNT\Cne.exe
O4 - HKCU\..\Run: [Tpe] C:\WINNT\Vcj.exe
O4 - HKCU\..\Run: [Nqu] C:\WINNT\System32\Tsj.exe
O4 - HKCU\..\Run: [Klt] C:\WINNT\Div.exe
O4 - HKCU\..\Run: [Cnq] C:\WINNT\System32\Mov.exe
O4 - HKCU\..\Run: [Fbq] C:\WINNT\System32\Hne.exe
O4 - HKCU\..\Run: [Ghh] C:\WINNT\System32\Jlo.exe
O4 - HKCU\..\Run: [Ibf] C:\WINNT\Kih.exe
O4 - HKCU\..\Run: [Tlj] C:\WINNT\Lhl.exe
O4 - HKCU\..\Run: [Onl] C:\WINNT\Kpb.exe
O4 - HKCU\..\Run: [Qnl] C:\WINNT\System32\Bui.exe
O4 - HKCU\..\Run: [Ipc] C:\WINNT\System32\Cdm.exe
O4 - HKCU\..\Run: [Jvg] C:\WINNT\System32\Qfb.exe
O4 - HKCU\..\Run: [Oer] C:\WINNT\System32\Upq.exe
O4 - HKCU\..\Run: [Uhg] C:\WINNT\Dml.exe
O4 - HKCU\..\Run: [Eqa] C:\WINNT\Mth.exe
O4 - HKCU\..\Run: [Rdf] C:\WINNT\System32\Mtu.exe
O4 - HKCU\..\Run: [Joj] C:\WINNT\System32\Nkn.exe
O4 - HKCU\..\Run: [Fto] C:\WINNT\Nom.exe
O4 - HKCU\..\Run: [Oha] C:\WINNT\Mtt.exe
O4 - HKCU\..\Run: [Inv] C:\WINNT\Hkm.exe
O4 - HKCU\..\Run: [Uvl] C:\WINNT\System32\Dmp.exe
O4 - HKCU\..\Run: [Keo] C:\WINNT\System32\Qve.exe
O4 - HKCU\..\Run: [Qmb] C:\WINNT\Bpi.exe
O4 - HKCU\..\Run: [Ntq] C:\WINNT\Avc.exe
O4 - HKCU\..\Run: [Fta] C:\WINNT\Klp.exe
O4 - HKCU\..\Run: [Acd] C:\WINNT\Veh.exe
O4 - HKCU\..\Run: [Rfh] C:\WINNT\Bci.exe
O4 - HKCU\..\Run: [Bci] C:\WINNT\System32\Eoj.exe
O4 - HKCU\..\Run: [Eqc] C:\WINNT\Vlm.exe
O4 - HKCU\..\Run: [Thv] C:\WINNT\Sis.exe
O4 - HKCU\..\Run: [Kfp] C:\WINNT\Sbs.exe
O4 - HKCU\..\Run: [Ioa] C:\WINNT\Epq.exe
O4 - HKCU\..\Run: [Sto] C:\WINNT\Bkn.exe
O4 - HKCU\..\Run: [Dae] C:\WINNT\System32\Hnj.exe
O4 - HKCU\..\Run: [Bka] C:\WINNT\Fhu.exe
O4 - HKCU\..\Run: [Boa] C:\WINNT\Vhp.exe
O4 - HKCU\..\Run: [Obd] C:\WINNT\Oqi.exe
O4 - HKCU\..\Run: [Ajr] C:\WINNT\Uoi.exe
O4 - HKCU\..\Run: [Mel] C:\WINNT\System32\Rdb.exe
O4 - HKCU\..\Run: [Jjb] C:\WINNT\Ksk.exe
O4 - HKCU\..\Run: [Ifs] C:\WINNT\System32\Rps.exe
O4 - HKCU\..\Run: [Fib] C:\WINNT\But.exe
O4 - HKCU\..\Run: [Nto] C:\WINNT\System32\Stg.exe
O4 - HKCU\..\Run: [Ugn] C:\WINNT\Fav.exe
O4 - HKCU\..\Run: [Gmq] C:\WINNT\System32\Foq.exe
O4 - HKCU\..\Run: [Cng] C:\WINNT\System32\Gun.exe
O4 - HKCU\..\Run: [Euo] C:\WINNT\Npu.exe
O4 - HKCU\..\Run: [Lbr] C:\WINNT\System32\Tkv.exe
O4 - HKCU\..\Run: [Tnq] C:\WINNT\System32\Eqb.exe
O4 - HKCU\..\Run: [Atp] C:\WINNT\System32\Fss.exe
O4 - HKCU\..\Run: [Qkr] C:\WINNT\Mvn.exe
O4 - HKCU\..\Run: [Boe] C:\WINNT\System32\Cgk.exe
O4 - HKCU\..\Run: [Kgn] C:\WINNT\System32\Ogn.exe
O4 - HKCU\..\Run: [Kcf] C:\WINNT\System32\Nhu.exe
O4 - HKCU\..\Run: [Dcc] C:\WINNT\System32\Vpl.exe
O4 - HKCU\..\Run: [Tck] C:\WINNT\Fok.exe
O4 - HKCU\..\Run: [Uqt] C:\WINNT\Kic.exe
O4 - HKCU\..\Run: [Jvl] C:\WINNT\System32\Lof.exe
O4 - HKCU\..\Run: [Mfh] C:\WINNT\System32\Hii.exe
O4 - HKCU\..\Run: [Fdi] C:\WINNT\System32\Svm.exe
O4 - HKCU\..\Run: [Dtd] C:\WINNT\Vsd.exe
O4 - HKCU\..\Run: [Fqm] C:\WINNT\System32\Pat.exe
O4 - HKCU\..\Run: [Lbu] C:\WINNT\System32\Jpe.exe
O4 - HKCU\..\Run: [Glm] C:\WINNT\System32\Ujq.exe
O4 - HKCU\..\Run: [Clk] C:\WINNT\Qeb.exe
O4 - HKCU\..\Run: [Deh] C:\WINNT\Hhb.exe
O4 - HKCU\..\Run: [Dnl] C:\WINNT\System32\Ieh.exe
O4 - HKCU\..\Run: [Ris] C:\WINNT\Fth.exe
O4 - HKCU\..\Run: [Pfl] C:\WINNT\System32\Hnm.exe
O4 - HKCU\..\Run: [Moi] C:\WINNT\System32\Dgs.exe
O4 - HKCU\..\Run: [Uynrw] C:\WINNT\System32\??rvices.exe
O4 - HKCU\..\Run: [Cscs] C:\Program Files\stha\erei.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.13....chm::/file.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Filter: text/html - {287555BC-4E17-4532-9175-B33C992DE24B} - C:\WINNT\System32\mnk.dll
O18 - Filter: text/plain - {287555BC-4E17-4532-9175-B33C992DE24B} - C:\WINNT\System32\mnk.dll
O20 - Winlogon Notify: draw32 - draw32.dll (file missing)
O21 - SSODL: System - {ACBA39D6-B927-48B7-93C3-8F77B76D5DD3} - memsw.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
  • 0

Advertisements

#2
Rawe
Posted 26 June 2005 - 04:33 PM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
I'm now working on your log..
I'll get back to you later,
just have to check my fix with the experts.
Thanks for your patience..

- Rawe :tazz:
  • 0

#3
Rawe
Posted 27 June 2005 - 07:54 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hi again! Sorry for the delayed answer..

Let's get started.

First,
I want you to check that you have all needed updates.
Windows Updates, browser updates, software updates. All.

Next, please read all carefully;

Please print these instructions out, or write them down, as you can't read them during the fix.

Download & install these programs;
- Spybot S&D

- Ad-Aware SE Personal, Build 1.06 {In case you have an old version/build of this program or any other of these programs running, please then uninstall them before installing the new ones.}

- Clean Up

- About:buster

Unzip the contents of AboutBuster.zip and an About:Buster directory will be created.
- Launch About:Buster
- Click "Ok" at the prompt with instructions.
- Click "Update" and then "Check For Update" to launch the update process.
- If any updates exist please download them by clicking "Download Update". After this, exit the updating window.
- Now please close About:Buster
Run Ad-aware & SpyBot S&D now.
Here's tutorials if needed;

=> An tutorial for SpyBot
=> An tutorial for Ad-aware

Please run the programs as instructed.

Next, download CWShredder v 2.15
When installed, launch it, check for any updates, and close it. Don't Run A Scan Yet!
Please run at least three of these free online scans here;
- Trend Micro
- BitDefender
- RAV
- Kaspersky
- Jotti Virusscan
- F-secure
Now run CWShredder, use the "Fix"- button.
Please boot into Safe Mode. Disconnect from the internet {for broadband/cable users, it is recommended to disconnect the cable connection}

While rebooting, tap F8 until your computer shows an menu. Select Safe Mode.
Once your windows has loaded,

please run About:Buster;

Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
Click "Yes" to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it.
When the scan has finished, please reboot your computer to Safe Mode again.

Ok, now run About:Buster again without the reboot in the end.

After that,
close all open windows and/or open browsers, making sure that
only HJT is running. Just hit the button to "Scan". When the scan has finished, please check these objects for removal (if present);

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {0952164D-FFDB-8601-A5C8-876DA647B2BC} - C:\WINNT\System32\hta.dll
O2 - BHO: (no name) - {095DB814-1EA0-45AC-8282-996F63C41DA7} - C:\WINNT\System32\mnk.dll (file missing)
O2 - BHO: (no name) - {7A521639-FFA8-F101-A5C1-F66DA545B2BC} - C:\WINNT\System32\hta.dll
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [wscsvc.exe] C:\WINNT\wscsvc.exe
O4 - HKLM\..\Run: [Eps] C:\WINNT\Oll.exe
O4 - HKLM\..\Run: [Ogl] C:\WINNT\Tog.exe
O4 - HKLM\..\Run: [Eso] C:\WINNT\Cne.exe
O4 - HKLM\..\Run: [Tpe] C:\WINNT\Vcj.exe
O4 - HKLM\..\Run: [Nqu] C:\WINNT\System32\Tsj.exe
O4 - HKLM\..\Run: [Klt] C:\WINNT\Div.exe
O4 - HKLM\..\Run: [Cnq] C:\WINNT\System32\Mov.exe
O4 - HKLM\..\Run: [Fbq] C:\WINNT\System32\Hne.exe
O4 - HKLM\..\Run: [Ghh] C:\WINNT\System32\Jlo.exe
O4 - HKLM\..\Run: [Ibf] C:\WINNT\Kih.exe
O4 - HKLM\..\Run: [Tlj] C:\WINNT\Lhl.exe
O4 - HKLM\..\Run: [Onl] C:\WINNT\Kpb.exe
O4 - HKLM\..\Run: [Qnl] C:\WINNT\System32\Bui.exe
O4 - HKLM\..\Run: [Ipc] C:\WINNT\System32\Cdm.exe
O4 - HKLM\..\Run: [Jvg] C:\WINNT\System32\Qfb.exe
O4 - HKLM\..\Run: [Oer] C:\WINNT\System32\Upq.exe
O4 - HKLM\..\Run: [Uhg] C:\WINNT\Dml.exe
O4 - HKLM\..\Run: [Eqa] C:\WINNT\Mth.exe
O4 - HKLM\..\Run: [Rdf] C:\WINNT\System32\Mtu.exe
O4 - HKLM\..\Run: [Joj] C:\WINNT\System32\Nkn.exe
O4 - HKLM\..\Run: [Fto] C:\WINNT\Nom.exe
O4 - HKLM\..\Run: [Oha] C:\WINNT\Mtt.exe
O4 - HKLM\..\Run: [Inv] C:\WINNT\Hkm.exe
O4 - HKLM\..\Run: [Uvl] C:\WINNT\System32\Dmp.exe
O4 - HKLM\..\Run: [Keo] C:\WINNT\System32\Qve.exe
O4 - HKLM\..\Run: [Qmb] C:\WINNT\Bpi.exe
O4 - HKLM\..\Run: [Ntq] C:\WINNT\Avc.exe
O4 - HKLM\..\Run: [Fta] C:\WINNT\Klp.exe
O4 - HKLM\..\Run: [Acd] C:\WINNT\Veh.exe
O4 - HKLM\..\Run: [Rfh] C:\WINNT\Bci.exe
O4 - HKLM\..\Run: [Bci] C:\WINNT\System32\Eoj.exe
O4 - HKLM\..\Run: [Eqc] C:\WINNT\Vlm.exe
O4 - HKLM\..\Run: [Thv] C:\WINNT\Sis.exe
O4 - HKLM\..\Run: [Kfp] C:\WINNT\Sbs.exe
O4 - HKLM\..\Run: [Ioa] C:\WINNT\Epq.exe
O4 - HKLM\..\Run: [Sto] C:\WINNT\Bkn.exe
O4 - HKLM\..\Run: [Dae] C:\WINNT\System32\Hnj.exe
O4 - HKLM\..\Run: [Bka] C:\WINNT\Fhu.exe
O4 - HKLM\..\Run: [Boa] C:\WINNT\Vhp.exe
O4 - HKLM\..\Run: [Obd] C:\WINNT\Oqi.exe
O4 - HKLM\..\Run: [Ajr] C:\WINNT\Uoi.exe
O4 - HKLM\..\Run: [Mel] C:\WINNT\System32\Rdb.exe
O4 - HKLM\..\Run: [Jjb] C:\WINNT\Ksk.exe
O4 - HKLM\..\Run: [Ifs] C:\WINNT\System32\Rps.exe
O4 - HKLM\..\Run: [Fib] C:\WINNT\But.exe
O4 - HKLM\..\Run: [Nto] C:\WINNT\System32\Stg.exe
O4 - HKLM\..\Run: [Ugn] C:\WINNT\Fav.exe
O4 - HKLM\..\Run: [Gmq] C:\WINNT\System32\Foq.exe
O4 - HKLM\..\Run: [Cng] C:\WINNT\System32\Gun.exe
O4 - HKLM\..\Run: [Euo] C:\WINNT\Npu.exe
O4 - HKLM\..\Run: [Lbr] C:\WINNT\System32\Tkv.exe
O4 - HKLM\..\Run: [Tnq] C:\WINNT\System32\Eqb.exe
O4 - HKLM\..\Run: [Atp] C:\WINNT\System32\Fss.exe
O4 - HKLM\..\Run: [Qkr] C:\WINNT\Mvn.exe
O4 - HKLM\..\Run: [Boe] C:\WINNT\System32\Cgk.exe
O4 - HKLM\..\Run: [Kgn] C:\WINNT\System32\Ogn.exe
O4 - HKLM\..\Run: [Kcf] C:\WINNT\System32\Nhu.exe
O4 - HKLM\..\Run: [Dcc] C:\WINNT\System32\Vpl.exe
O4 - HKLM\..\Run: [Tck] C:\WINNT\Fok.exe
O4 - HKLM\..\Run: [Uqt] C:\WINNT\Kic.exe
O4 - HKLM\..\Run: [Jvl] C:\WINNT\System32\Lof.exe
O4 - HKLM\..\Run: [Mfh] C:\WINNT\System32\Hii.exe
O4 - HKLM\..\Run: [Fdi] C:\WINNT\System32\Svm.exe
O4 - HKLM\..\Run: [Dtd] C:\WINNT\Vsd.exe
O4 - HKLM\..\Run: [Fqm] C:\WINNT\System32\Pat.exe
O4 - HKLM\..\Run: [Lbu] C:\WINNT\System32\Jpe.exe
O4 - HKLM\..\Run: [Glm] C:\WINNT\System32\Ujq.exe
O4 - HKLM\..\Run: [Clk] C:\WINNT\Qeb.exe
O4 - HKLM\..\Run: [Deh] C:\WINNT\Hhb.exe
O4 - HKLM\..\Run: [Dnl] C:\WINNT\System32\Ieh.exe
O4 - HKLM\..\Run: [Ris] C:\WINNT\Fth.exe
O4 - HKLM\..\Run: [Pfl] C:\WINNT\System32\Hnm.exe
O4 - HKLM\..\Run: [Moi] C:\WINNT\System32\Dgs.exe
O4 - HKCU\..\Run: [d0qpRXH4l] chkelib.exe
O4 - HKCU\..\Run: [Eps] C:\WINNT\Oll.exe
O4 - HKCU\..\Run: [Vle] C:\WINNT\Iam.exe
O4 - HKCU\..\Run: [Ogl] C:\WINNT\Tog.exe
O4 - HKCU\..\Run: [Eso] C:\WINNT\Cne.exe
O4 - HKCU\..\Run: [Tpe] C:\WINNT\Vcj.exe
O4 - HKCU\..\Run: [Nqu] C:\WINNT\System32\Tsj.exe
O4 - HKCU\..\Run: [Klt] C:\WINNT\Div.exe
O4 - HKCU\..\Run: [Cnq] C:\WINNT\System32\Mov.exe
O4 - HKCU\..\Run: [Fbq] C:\WINNT\System32\Hne.exe
O4 - HKCU\..\Run: [Ghh] C:\WINNT\System32\Jlo.exe
O4 - HKCU\..\Run: [Ibf] C:\WINNT\Kih.exe
O4 - HKCU\..\Run: [Tlj] C:\WINNT\Lhl.exe
O4 - HKCU\..\Run: [Onl] C:\WINNT\Kpb.exe
O4 - HKCU\..\Run: [Qnl] C:\WINNT\System32\Bui.exe
O4 - HKCU\..\Run: [Ipc] C:\WINNT\System32\Cdm.exe
O4 - HKCU\..\Run: [Jvg] C:\WINNT\System32\Qfb.exe
O4 - HKCU\..\Run: [Oer] C:\WINNT\System32\Upq.exe
O4 - HKCU\..\Run: [Uhg] C:\WINNT\Dml.exe
O4 - HKCU\..\Run: [Eqa] C:\WINNT\Mth.exe
O4 - HKCU\..\Run: [Rdf] C:\WINNT\System32\Mtu.exe
O4 - HKCU\..\Run: [Joj] C:\WINNT\System32\Nkn.exe
O4 - HKCU\..\Run: [Fto] C:\WINNT\Nom.exe
O4 - HKCU\..\Run: [Oha] C:\WINNT\Mtt.exe
O4 - HKCU\..\Run: [Inv] C:\WINNT\Hkm.exe
O4 - HKCU\..\Run: [Uvl] C:\WINNT\System32\Dmp.exe
O4 - HKCU\..\Run: [Keo] C:\WINNT\System32\Qve.exe
O4 - HKCU\..\Run: [Qmb] C:\WINNT\Bpi.exe
O4 - HKCU\..\Run: [Ntq] C:\WINNT\Avc.exe
O4 - HKCU\..\Run: [Fta] C:\WINNT\Klp.exe
O4 - HKCU\..\Run: [Acd] C:\WINNT\Veh.exe
O4 - HKCU\..\Run: [Rfh] C:\WINNT\Bci.exe
O4 - HKCU\..\Run: [Bci] C:\WINNT\System32\Eoj.exe
O4 - HKCU\..\Run: [Eqc] C:\WINNT\Vlm.exe
O4 - HKCU\..\Run: [Thv] C:\WINNT\Sis.exe
O4 - HKCU\..\Run: [Kfp] C:\WINNT\Sbs.exe
O4 - HKCU\..\Run: [Ioa] C:\WINNT\Epq.exe
O4 - HKCU\..\Run: [Sto] C:\WINNT\Bkn.exe
O4 - HKCU\..\Run: [Dae] C:\WINNT\System32\Hnj.exe
O4 - HKCU\..\Run: [Bka] C:\WINNT\Fhu.exe
O4 - HKCU\..\Run: [Boa] C:\WINNT\Vhp.exe
O4 - HKCU\..\Run: [Obd] C:\WINNT\Oqi.exe
O4 - HKCU\..\Run: [Ajr] C:\WINNT\Uoi.exe
O4 - HKCU\..\Run: [Mel] C:\WINNT\System32\Rdb.exe
O4 - HKCU\..\Run: [Jjb] C:\WINNT\Ksk.exe
O4 - HKCU\..\Run: [Ifs] C:\WINNT\System32\Rps.exe
O4 - HKCU\..\Run: [Fib] C:\WINNT\But.exe
O4 - HKCU\..\Run: [Nto] C:\WINNT\System32\Stg.exe
O4 - HKCU\..\Run: [Ugn] C:\WINNT\Fav.exe
O4 - HKCU\..\Run: [Gmq] C:\WINNT\System32\Foq.exe
O4 - HKCU\..\Run: [Cng] C:\WINNT\System32\Gun.exe
O4 - HKCU\..\Run: [Euo] C:\WINNT\Npu.exe
O4 - HKCU\..\Run: [Lbr] C:\WINNT\System32\Tkv.exe
O4 - HKCU\..\Run: [Tnq] C:\WINNT\System32\Eqb.exe
O4 - HKCU\..\Run: [Atp] C:\WINNT\System32\Fss.exe
O4 - HKCU\..\Run: [Qkr] C:\WINNT\Mvn.exe
O4 - HKCU\..\Run: [Boe] C:\WINNT\System32\Cgk.exe
O4 - HKCU\..\Run: [Kgn] C:\WINNT\System32\Ogn.exe
O4 - HKCU\..\Run: [Kcf] C:\WINNT\System32\Nhu.exe
O4 - HKCU\..\Run: [Dcc] C:\WINNT\System32\Vpl.exe
O4 - HKCU\..\Run: [Tck] C:\WINNT\Fok.exe
O4 - HKCU\..\Run: [Uqt] C:\WINNT\Kic.exe
O4 - HKCU\..\Run: [Jvl] C:\WINNT\System32\Lof.exe
O4 - HKCU\..\Run: [Mfh] C:\WINNT\System32\Hii.exe
O4 - HKCU\..\Run: [Fdi] C:\WINNT\System32\Svm.exe
O4 - HKCU\..\Run: [Dtd] C:\WINNT\Vsd.exe
O4 - HKCU\..\Run: [Fqm] C:\WINNT\System32\Pat.exe
O4 - HKCU\..\Run: [Lbu] C:\WINNT\System32\Jpe.exe
O4 - HKCU\..\Run: [Glm] C:\WINNT\System32\Ujq.exe
O4 - HKCU\..\Run: [Clk] C:\WINNT\Qeb.exe
O4 - HKCU\..\Run: [Deh] C:\WINNT\Hhb.exe
O4 - HKCU\..\Run: [Dnl] C:\WINNT\System32\Ieh.exe
O4 - HKCU\..\Run: [Ris] C:\WINNT\Fth.exe
O4 - HKCU\..\Run: [Pfl] C:\WINNT\System32\Hnm.exe
O4 - HKCU\..\Run: [Moi] C:\WINNT\System32\Dgs.exe
O4 - HKCU\..\Run: [Uynrw] C:\WINNT\System32\??rvices.exe
O4 - HKCU\..\Run: [Cscs] C:\Program Files\stha\erei.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.13....chm::/file.exe
O18 - Filter: text/html - {287555BC-4E17-4532-9175-B33C992DE24B} - C:\WINNT\System32\mnk.dll
O18 - Filter: text/plain - {287555BC-4E17-4532-9175-B33C992DE24B} - C:\WINNT\System32\mnk.dll
O20 - Winlogon Notify: draw32 - draw32.dll (file missing)
O21 - SSODL: System - {ACBA39D6-B927-48B7-93C3-8F77B76D5DD3} - memsw.dll (file missing)

Make sure that the above mentioned objects are all checked, then click "Fix Checked".

After the fixes,
run HiJackThis;

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following;
C:\WINNT\System32\??rvices.exe
C:\Program Files\stha\erei.exe
C:\WINNT\wscsvc.exe
C:\WINNT\loadqm.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

Using Windows Explorer, locate the following files and delete them (if found);
C:\Program Files\stha\erei.exe
C:\WINNT\System32\??rvices.exe
C:\winstall.exe
C:\WINNT\System32\hta.dll
C:\WINNT\System32\mnk.dll

If you could, please now run CWShredder v 2.15 again.
Use the "Fix" button again.

After that, run CleanUp.
It will ask you to reboot to finish the cleaning,
please do so.

Once your computer has loaded, run a scan with HJT, and post that scanlog here along with the log from About:Buster.
When your scan has finished connect back to the internet and post the results.

- Rawe :tazz:

If you have anything to ask, please don't hesitate to ask.
Also, if you can't for some reason finish a step, then please move on to the next step.
  • 0

#4
_Jen
Posted 28 June 2005 - 03:25 PM

_Jen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Ok here is my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 2:20:17 PM, on 6/28/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\CTSvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

And heres what it have me after i ran about:buster..

AboutBuster 5.0 reference file 30
Scan started on [6/28/2005] at [2:21:58 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 2:22:01 PM
  • 0

#5
Rawe
Posted 28 June 2005 - 04:17 PM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hi again!

Looks a LOT better!

How is your system running?

Run HJT and check these objects for removal;

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Please close any other open windows and/or open browsers, make sure that the above mentioned objects are checked and click "Fix Checked".

After the fixes,

using Windows Explorer, locate the following file and delete it (if found);

C:\WINNT\web\related.htm


Please empty your trash/recycle bin.


Reboot your PC, run a new scan with HJT and post a fresh log here.


- Rawe :tazz:
  • 0

#6
_Jen
Posted 28 June 2005 - 04:41 PM

_Jen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Logfile of HijackThis v1.99.1
Scan saved at 3:32:27 PM, on 6/28/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\CTSvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe


Every thing is back to normal, spysheriff isnt showing up anymore but i still have the "system stopped blah blah.." thing as my wallpaper...
  • 0

#7
Rawe
Posted 29 June 2005 - 06:38 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hi again, Jen!

Sorry for the little delayed reply..

For your Desktop.

Copy and paste text in the box below to an empty notepad file.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewContextMenu"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewContextMenu"=-
"NoActiveDesktop"=-
"ForceActiveDesktopOn"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=-
"NoComponents"=-
"NoAddingComponents"=-
"NoDeletingComponents"=-
"NoEditingComponents"=-
"NoHTMLWallpaper"=-



Name it as an fixdt.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixdt.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Merge with the registry, confirm with yes.

Then reboot your PC.

You should now be able to change your wallpaper.

Post back & let me know how did it go.

- Rawe :tazz:
  • 0

#8
_Jen
Posted 29 June 2005 - 02:27 PM

_Jen

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Yup, that worked, my desktop is back to normal.


Thankyou so much for all your help, you're seriously a life saver.
  • 0

#9
Rawe
Posted 29 June 2005 - 02:35 PM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Good job! You're malware free now! (well, at least your PC is.. ;) )

Here are some tips to keep your machine clean..


Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice
So how did I get infected in the first place?

{Also note that you do not need HJT anymore, so you can uninstall it from your computer if you wish.}

- Rawe :tazz:
  • 0

#10
Guest_usetobe_*
Posted 29 June 2005 - 03:01 PM

Guest_usetobe_*
  • Guest
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP