Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

mszx23, clicksearchclick, and other spyware [RESOLVED]

Started by Motor City's Finest , Jun 22 2005 08:43 PM

  • This topic is locked This topic is locked

#1
Motor City's Finest
Posted 22 June 2005 - 08:43 PM

Motor City's Finest

    Member

  • Member
  • PipPip
  • 19 posts
I've been waiting for help for the longest. can somebody please give me some attention. my computer is only getting worse.


my hijack up log.


Logfile of HijackThis v1.99.1
Scan saved at 10:42:57 PM, on 6/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\Services\{6C5DD71A-8034-4CF7-B497-138DC7DCAE60}\SVCHOST.EXE
C:\WINDOWS\System32\mszx23.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Adam\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...index.php?aff=9
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: (no name) - {6C5616C5-C6FC-BC6F-0F3A-379A7FC10E34} - C:\WINDOWS\System32\R497p329.dll
O2 - BHO: (no name) - {D4C0826A-6CF0-3C09-F8FA-1013358966E4} - C:\WINDOWS\System32\jxowcnv.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [scvhost.exe] scvhost.exe
O4 - HKLM\..\Run: [clyjycqomrwn] C:\WINDOWS\System32\haelhl.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [ouArQW.exe] C:\documents and settings\adam\local settings\temp\ouArQW.exe
O4 - HKLM\..\Run: [0peuGbPL.exe] C:\documents and settings\adam\local settings\temp\0peuGbPL.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Cxe0o.exe
O4 - HKLM\..\Run: [epx] C:\WINDOWS\system32\epx.exe
O4 - HKLM\..\Run: [lm.exe] C:\documents and settings\adam\local settings\temp\lm.exe
O4 - HKLM\..\Run: [enfE.exe] C:\documents and settings\adam\local settings\temp\enfE.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [vs3R36Q] penrdsvr.exe
O4 - HKLM\..\Run: [Microsoft Outrunner H20] C:\WINDOWS\system32\Microsoft Outrunner\OUTRUNNER.exe /start
O4 - HKLM\..\Run: [Ihf] C:\WINDOWS\Lur.exe
O4 - HKLM\..\Run: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [Vld] C:\WINDOWS\Iar.exe
O4 - HKLM\..\Run: [Jdg] C:\WINDOWS\Pnj.exe
O4 - HKLM\..\Run: [Gfj] C:\WINDOWS\System32\Knp.exe
O4 - HKLM\..\Run: [Cct] C:\WINDOWS\Jlq.exe
O4 - HKLM\..\Run: [Pbj] C:\WINDOWS\Sik.exe
O4 - HKLM\..\Run: [Urt] C:\WINDOWS\Alr.exe
O4 - HKLM\..\Run: [Coc] C:\WINDOWS\System32\Hpa.exe
O4 - HKLM\..\Run: [Qvr] C:\WINDOWS\Mkk.exe
O4 - HKLM\..\Run: [Knj] C:\WINDOWS\Mll.exe
O4 - HKLM\..\Run: [Vfd] C:\WINDOWS\System32\Nol.exe
O4 - HKLM\..\Run: [Cpq] C:\WINDOWS\System32\Ivc.exe
O4 - HKLM\..\Run: [Jkvxkalt] c:\Program Files\Ddrz\Fkmnmwo.exe
O4 - HKLM\..\Run: [Exmmj] c:\Program Files\Izwafyz\Jdnyjto.exe
O4 - HKLM\..\Run: [PerformCl] C:\WINDOWS\System32\perfcl.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{6C5DD71A-8034-4CF7-B497-138DC7DCAE60}\SVCHOST.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{6C5DD71A-8034-4CF7-B497-138DC7DCAE60}\SECURITY.EXE
O4 - HKLM\..\RunServices: [scvhost.exe] scvhost.exe
O4 - HKLM\..\RunServices: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
O4 - HKCU\..\Run: [eBs5RWcth] uxtlogon.exe
O4 - HKCU\..\Run: [Ihf] C:\WINDOWS\Lur.exe
O4 - HKCU\..\Run: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
O4 - HKCU\..\Run: [Vld] C:\WINDOWS\Iar.exe
O4 - HKCU\..\Run: [Jdg] C:\WINDOWS\Pnj.exe
O4 - HKCU\..\Run: [Gfj] C:\WINDOWS\System32\Knp.exe
O4 - HKCU\..\Run: [Cct] C:\WINDOWS\Jlq.exe
O4 - HKCU\..\Run: [Pbj] C:\WINDOWS\Sik.exe
O4 - HKCU\..\Run: [Urt] C:\WINDOWS\Alr.exe
O4 - HKCU\..\Run: [Coc] C:\WINDOWS\System32\Hpa.exe
O4 - HKCU\..\Run: [Qvr] C:\WINDOWS\Mkk.exe
O4 - HKCU\..\Run: [Knj] C:\WINDOWS\Mll.exe
O4 - HKCU\..\Run: [Vfd] C:\WINDOWS\System32\Nol.exe
O4 - HKCU\..\Run: [Cpq] C:\WINDOWS\System32\Ivc.exe
O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Microsoft AntiSpyware helper - {1D021922-ACB6-45E2-B2E4-A63D1225AB68} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1D021922-ACB6-45E2-B2E4-A63D1225AB68} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A2D60B08-196A-4D91-A225-55A9607AFF4C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A2D60B08-196A-4D91-A225-55A9607AFF4C} - (no file) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {CA79D501-CD69-4F87-A0C0-56D51F799702} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CA79D501-CD69-4F87-A0C0-56D51F799702} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {F8948EC2-1D89-41F9-87E3-E4466472928A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F8948EC2-1D89-41F9-87E3-E4466472928A} - (no file) (HKCU)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted IP range: 64.127.104.144
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c15.cab
O16 - DPF: {163ACFA8-CD79-0E4A-FDF9-2E18581561F0} - http://69.50.182.94/1/gdnUS1096.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com...ia/OTXMedia.dll
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: f3dsl - lsd_f3.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ntfs32 - C:\WINDOWS\SYSTEM32\ntfs32.dll
O21 - SSODL: Web Event Logger - {7CFBACFF-EE01-1231-ABDD-416592E5D639} - C:\WINDOWS\System32\Cnmfgnph.dll
O21 - SSODL: xwjAsiJh - {6C5616BF-C6FC-BC15-55B6-26AE7FC10E31} - C:\WINDOWS\System32\ahob.dll
O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)
O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

Advertisements

#2
Guest_thatman_*
Posted 28 June 2005 - 07:49 AM

Guest_thatman_*
  • Guest
Hi Motor City's Finest

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Please download SpyBot V1.4 http://www.majorgeek...wnload2471.html Update the program then run it.

Download Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. Don't run yet

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...index.php?aff=9
R3 - Default URLSearchHook is missing
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: (no name) - {6C5616C5-C6FC-BC6F-0F3A-379A7FC10E34} - C:\WINDOWS\System32\R497p329.dll
O2 - BHO: (no name) - {D4C0826A-6CF0-3C09-F8FA-1013358966E4} - C:\WINDOWS\System32\jxowcnv.dll (file missing)
O4 - HKLM\..\Run: [scvhost.exe] scvhost.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [ouArQW.exe] C:\documents and settings\adam\local settings\temp\ouArQW.exe
O4 - HKLM\..\Run: [0peuGbPL.exe] C:\documents and settings\adam\local settings\temp\0peuGbPL.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Cxe0o.exe
O4 - HKLM\..\Run: [epx] C:\WINDOWS\system32\epx.exe
O4 - HKLM\..\Run: [lm.exe] C:\documents and settings\adam\local settings\temp\lm.exe
O4 - HKLM\..\Run: [enfE.exe] C:\documents and settings\adam\local settings\temp\enfE.exe
O4 - HKLM\..\Run: [vs3R36Q] penrdsvr.exe
O4 - HKLM\..\Run: [Ihf] C:\WINDOWS\Lur.exe
O4 - HKLM\..\Run: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [Vld] C:\WINDOWS\Iar.exe
O4 - HKLM\..\Run: [Jdg] C:\WINDOWS\Pnj.exe
O4 - HKLM\..\Run: [Gfj] C:\WINDOWS\System32\Knp.exe
O4 - HKLM\..\Run: [Cct] C:\WINDOWS\Jlq.exe
O4 - HKLM\..\Run: [Pbj] C:\WINDOWS\Sik.exe
O4 - HKLM\..\Run: [Urt] C:\WINDOWS\Alr.exe
O4 - HKLM\..\Run: [Coc] C:\WINDOWS\System32\Hpa.exe
O4 - HKLM\..\Run: [Qvr] C:\WINDOWS\Mkk.exe
O4 - HKLM\..\Run: [Knj] C:\WINDOWS\Mll.exe
O4 - HKLM\..\Run: [Vfd] C:\WINDOWS\System32\Nol.exe
O4 - HKLM\..\Run: [Cpq] C:\WINDOWS\System32\Ivc.exe
O4 - HKLM\..\Run: [Jkvxkalt] c:\Program Files\Ddrz\Fkmnmwo.exe
O4 - HKLM\..\Run: [Exmmj] c:\Program Files\Izwafyz\Jdnyjto.exe
O4 - HKLM\..\Run: [PerformCl] C:\WINDOWS\System32\perfcl.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{6C5DD71A-8034-4CF7-B497-138DC7DCAE60}\SVCHOST.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{6C5DD71A-8034-4CF7-B497-138DC7DCAE60}\SECURITY.EXE
O4 - HKLM\..\RunServices: [scvhost.exe] scvhost.exe
O4 - HKLM\..\RunServices: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
O4 - HKCU\..\Run: [eBs5RWcth] uxtlogon.exe
O4 - HKCU\..\Run: [Ihf] C:\WINDOWS\Lur.exe
O4 - HKCU\..\Run: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
O4 - HKCU\..\Run: [Vld] C:\WINDOWS\Iar.exe
O4 - HKCU\..\Run: [Jdg] C:\WINDOWS\Pnj.exe
O4 - HKCU\..\Run: [Gfj] C:\WINDOWS\System32\Knp.exe
O4 - HKCU\..\Run: [Cct] C:\WINDOWS\Jlq.exe
O4 - HKCU\..\Run: [Pbj] C:\WINDOWS\Sik.exe
O4 - HKCU\..\Run: [Urt] C:\WINDOWS\Alr.exe
O4 - HKCU\..\Run: [Coc] C:\WINDOWS\System32\Hpa.exe
O4 - HKCU\..\Run: [Qvr] C:\WINDOWS\Mkk.exe
O4 - HKCU\..\Run: [Knj] C:\WINDOWS\Mll.exe
O4 - HKCU\..\Run: [Vfd] C:\WINDOWS\System32\Nol.exe
O4 - HKCU\..\Run: [Cpq] C:\WINDOWS\System32\Ivc.exe
O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted IP range: 64.127.104.144
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c15.cab
O16 - DPF: {163ACFA8-CD79-0E4A-FDF9-2E18581561F0} - http://69.50.182.94/1/gdnUS1096.exe
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com...ia/OTXMedia.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: f3dsl - lsd_f3.dll (file missing)
O20 - Winlogon Notify: ntfs32 - C:\WINDOWS\SYSTEM32\ntfs32.dll
O21 - SSODL: Web Event Logger - {7CFBACFF-EE01-1231-ABDD-416592E5D639} - C:\WINDOWS\System32\Cnmfgnph.dll
O21 - SSODL: xwjAsiJh - {6C5616BF-C6FC-BC15-55B6-26AE7FC10E31} - C:\WINDOWS\System32\ahob.dll
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe (file missing)
Click on Fix Checked when finished and exit HijackThis.

Run Ad-aware se let remove all it finds

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINDOWS\System32\Services\{6C5DD71A-8034-4CF7-B497-138DC7DCAE60}\SVCHOST.EXE
C:\WINDOWS\System32\mszx23.exe
C:\WINDOWS\System32\R497p329.dll
C:\Program Files\VVSN\VVSN.exe
C:\documents and settings\adam\local settings\temp\ouArQW.exe
C:\documents and settings\adam\local settings\temp\0peuGbPL.exe
C:\WINDOWS\System32\Cxe0o.exe
C:\WINDOWS\system32\epx.exe
C:\documents and settings\adam\local settings\temp\lm.exe
C:\documents and settings\adam\local settings\temp\enfE.exe
C:\WINDOWS\penrdsvr.exe
C:\WINDOWS\Lur.exe
C:\WINDOWS\System32\atipatxx.exe
C:\WINDOWS\System32\winldra.exe
C:\WINDOWS\Iar.exe
C:\WINDOWS\Pnj.exe
C:\WINDOWS\System32\Knp.exe
C:\WINDOWS\Jlq.exe
C:\WINDOWS\Sik.exe
C:\WINDOWS\Alr.exe
C:\WINDOWS\System32\Hpa.exe
C:\WINDOWS\Mkk.exe
C:\WINDOWS\Mll.exe
C:\WINDOWS\System32\Nol.exe
C:\WINDOWS\System32\Ivc.exe
c:\Program Files\Ddrz\Fkmnmwo.exe
c:\Program Files\Izwafyz\Jdnyjto.exe
C:\WINDOWS\System32\perfcl.exe
C:\WINDOWS\System32\Services\{6C5DD71A-8034-4CF7-B497-138DC7DCAE60}\SECURITY.EXE
C:\Program Files\DR_S\DR_S.exe
C:\WINDOWS\sfita.exe
C:\WINDOWS\SYSTEM32\drct16.dll
C:\WINDOWS\SYSTEM32\ntfs32.dll
C:\WINDOWS\System32\Cnmfgnph.dll
C:\WINDOWS\System32\ahob.dll
Let the system reboot.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda, Ewido and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#3
Motor City's Finest
Posted 28 June 2005 - 09:42 AM

Motor City's Finest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
hanks for tryin to help me, but I need the actual link to those download sites becuz they keep going to clicksearchclick.



my new hijack log:


Logfile of HijackThis v1.99.1
Scan saved at 11:39:27 AM, on 6/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\Services\{6C5DD71A-8034-4CF7-B497-138DC7DCAE60}\SVCHOST.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\mszx23.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Adam\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Adam\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...index.php?aff=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Adam\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=? , ??? ???
??? ? ? ? ?
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {000AF6E8-9E87-41DC-BA77-78097C33EC75} - C:\WINDOWS\System32\hmfdgj.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: (no name) - {6C5616C5-C6FC-BC6F-0F3A-379A7FC10E34} - C:\WINDOWS\System32\R497p329.dll
O2 - BHO: (no name) - {D4C0826A-6CF0-3C09-F8FA-1013358966E4} - C:\WINDOWS\System32\jxowcnv.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [scvhost.exe] scvhost.exe
O4 - HKLM\..\Run: [clyjycqomrwn] C:\WINDOWS\System32\haelhl.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [ouArQW.exe] C:\documents and settings\adam\local settings\temp\ouArQW.exe
O4 - HKLM\..\Run: [0peuGbPL.exe] C:\documents and settings\adam\local settings\temp\0peuGbPL.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Cxe0o.exe
O4 - HKLM\..\Run: [epx] C:\WINDOWS\system32\epx.exe
O4 - HKLM\..\Run: [lm.exe] C:\documents and settings\adam\local settings\temp\lm.exe
O4 - HKLM\..\Run: [enfE.exe] C:\documents and settings\adam\local settings\temp\enfE.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [vs3R36Q] penrdsvr.exe
O4 - HKLM\..\Run: [Microsoft Outrunner H20] C:\WINDOWS\system32\Microsoft Outrunner\OUTRUNNER.exe /start
O4 - HKLM\..\Run: [Ihf] C:\WINDOWS\Lur.exe
O4 - HKLM\..\Run: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [Vld] C:\WINDOWS\Iar.exe
O4 - HKLM\..\Run: [Jdg] C:\WINDOWS\Pnj.exe
O4 - HKLM\..\Run: [Gfj] C:\WINDOWS\System32\Knp.exe
O4 - HKLM\..\Run: [Cct] C:\WINDOWS\Jlq.exe
O4 - HKLM\..\Run: [Pbj] C:\WINDOWS\Sik.exe
O4 - HKLM\..\Run: [Urt] C:\WINDOWS\Alr.exe
O4 - HKLM\..\Run: [Coc] C:\WINDOWS\System32\Hpa.exe
O4 - HKLM\..\Run: [Qvr] C:\WINDOWS\Mkk.exe
O4 - HKLM\..\Run: [Knj] C:\WINDOWS\Mll.exe
O4 - HKLM\..\Run: [Vfd] C:\WINDOWS\System32\Nol.exe
O4 - HKLM\..\Run: [Cpq] C:\WINDOWS\System32\Ivc.exe
O4 - HKLM\..\Run: [Jkvxkalt] c:\Program Files\Ddrz\Fkmnmwo.exe
O4 - HKLM\..\Run: [Exmmj] c:\Program Files\Izwafyz\Jdnyjto.exe
O4 - HKLM\..\Run: [PerformCl] C:\WINDOWS\System32\perfcl.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{6C5DD71A-8034-4CF7-B497-138DC7DCAE60}\SVCHOST.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Adam\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{6C5DD71A-8034-4CF7-B497-138DC7DCAE60}\SECURITY.EXE
O4 - HKLM\..\RunServices: [scvhost.exe] scvhost.exe
O4 - HKLM\..\RunServices: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
O4 - HKCU\..\Run: [eBs5RWcth] uxtlogon.exe
O4 - HKCU\..\Run: [Ihf] C:\WINDOWS\Lur.exe
O4 - HKCU\..\Run: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
O4 - HKCU\..\Run: [Vld] C:\WINDOWS\Iar.exe
O4 - HKCU\..\Run: [Jdg] C:\WINDOWS\Pnj.exe
O4 - HKCU\..\Run: [Gfj] C:\WINDOWS\System32\Knp.exe
O4 - HKCU\..\Run: [Cct] C:\WINDOWS\Jlq.exe
O4 - HKCU\..\Run: [Pbj] C:\WINDOWS\Sik.exe
O4 - HKCU\..\Run: [Urt] C:\WINDOWS\Alr.exe
O4 - HKCU\..\Run: [Coc] C:\WINDOWS\System32\Hpa.exe
O4 - HKCU\..\Run: [Qvr] C:\WINDOWS\Mkk.exe
O4 - HKCU\..\Run: [Knj] C:\WINDOWS\Mll.exe
O4 - HKCU\..\Run: [Vfd] C:\WINDOWS\System32\Nol.exe
O4 - HKCU\..\Run: [Cpq] C:\WINDOWS\System32\Ivc.exe
O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Microsoft AntiSpyware helper - {1D021922-ACB6-45E2-B2E4-A63D1225AB68} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1D021922-ACB6-45E2-B2E4-A63D1225AB68} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A2D60B08-196A-4D91-A225-55A9607AFF4C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A2D60B08-196A-4D91-A225-55A9607AFF4C} - (no file) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {CA79D501-CD69-4F87-A0C0-56D51F799702} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CA79D501-CD69-4F87-A0C0-56D51F799702} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {F8948EC2-1D89-41F9-87E3-E4466472928A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F8948EC2-1D89-41F9-87E3-E4466472928A} - (no file) (HKCU)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c15.cab
O16 - DPF: {163ACFA8-CD79-0E4A-FDF9-2E18581561F0} - http://69.50.182.94/1/gdnUS1096.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com...ia/OTXMedia.dll
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Filter: text/html - {A4086F62-F755-46DC-A4BE-250A762369B0} - C:\WINDOWS\System32\hmfdgj.dll
O18 - Filter: text/plain - {A4086F62-F755-46DC-A4BE-250A762369B0} - C:\WINDOWS\System32\hmfdgj.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: f3dsl - lsd_f3.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ntfs32 - C:\WINDOWS\SYSTEM32\ntfs32.dll
O21 - SSODL: Web Event Logger - {7CFBACFF-EE01-1231-ABDD-416592E5D639} - C:\WINDOWS\System32\Cnmfgnph.dll
O21 - SSODL: xwjAsiJh - {6C5616BF-C6FC-BC15-55B6-26AE7FC10E31} - C:\WINDOWS\System32\ahob.dll
O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)
O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

#4
Guest_thatman_*
Posted 28 June 2005 - 10:12 AM

Guest_thatman_*
  • Guest
Hi Motor City's Finest

I have post you a fix to remove the malware you did even try to do the fix, this will be my last reply.

Your only interest is this: Thanks for tryin to help me, but I need the actual link to those download sites becuz they keep going to clicksearchclick.

Do you want to remove the malware please advise.?

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Download Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. Don't run yet

Download and unzip cwsserviceremove to your desktop. use either link below:
cwsserviceremove
cwsserviceremove.zip

Download CW-Shredder at the link below:
CWShredder

Please download sphjfix Save it to your desktop, dont run it yet

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log.

Run the spifix

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Adam\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Adam\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=? , ??? ???
O2 - BHO: (no name) - {000AF6E8-9E87-41DC-BA77-78097C33EC75} - C:\WINDOWS\System32\hmfdgj.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: (no name) - {6C5616C5-C6FC-BC6F-0F3A-379A7FC10E34} - C:\WINDOWS\System32\R497p329.dll
O2 - BHO: (no name) - {D4C0826A-6CF0-3C09-F8FA-1013358966E4} - C:\WINDOWS\System32\jxowcnv.dll (file missing)
O4 - HKLM\..\Run: [scvhost.exe] scvhost.exe
O4 - HKLM\..\Run: [clyjycqomrwn] C:\WINDOWS\System32\haelhl.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [ouArQW.exe] C:\documents and settings\adam\local settings\temp\ouArQW.exe
O4 - HKLM\..\Run: [0peuGbPL.exe] C:\documents and settings\adam\local settings\temp\0peuGbPL.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Cxe0o.exe
O4 - HKLM\..\Run: [epx] C:\WINDOWS\system32\epx.exe
O4 - HKLM\..\Run: [lm.exe] C:\documents and settings\adam\local settings\temp\lm.exe
O4 - HKLM\..\Run: [enfE.exe] C:\documents and settings\adam\local settings\temp\enfE.exe
O4 - HKLM\..\Run: [vs3R36Q] penrdsvr.exe
O4 - HKLM\..\Run: [Ihf] C:\WINDOWS\Lur.exe
O4 - HKLM\..\Run: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [Vld] C:\WINDOWS\Iar.exe
O4 - HKLM\..\Run: [Jdg] C:\WINDOWS\Pnj.exe
O4 - HKLM\..\Run: [Gfj] C:\WINDOWS\System32\Knp.exe
O4 - HKLM\..\Run: [Cct] C:\WINDOWS\Jlq.exe
O4 - HKLM\..\Run: [Pbj] C:\WINDOWS\Sik.exe
O4 - HKLM\..\Run: [Urt] C:\WINDOWS\Alr.exe
O4 - HKLM\..\Run: [Coc] C:\WINDOWS\System32\Hpa.exe
O4 - HKLM\..\Run: [Qvr] C:\WINDOWS\Mkk.exe
O4 - HKLM\..\Run: [Knj] C:\WINDOWS\Mll.exe
O4 - HKLM\..\Run: [Vfd] C:\WINDOWS\System32\Nol.exe
O4 - HKLM\..\Run: [Cpq] C:\WINDOWS\System32\Ivc.exe
O4 - HKLM\..\Run: [Jkvxkalt] c:\Program Files\Ddrz\Fkmnmwo.exe
O4 - HKLM\..\Run: [Exmmj] c:\Program Files\Izwafyz\Jdnyjto.exe
O4 - HKLM\..\Run: [PerformCl] C:\WINDOWS\System32\perfcl.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{6C5DD71A-8034-4CF7-B497-138DC7DCAE60}\SVCHOST.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Adam\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{6C5DD71A-8034-4CF7-B497-138DC7DCAE60}\SECURITY.EXE
O4 - HKLM\..\RunServices: [scvhost.exe] scvhost.exe
O4 - HKLM\..\RunServices: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
O4 - HKCU\..\Run: [eBs5RWcth] uxtlogon.exe
O4 - HKCU\..\Run: [Ihf] C:\WINDOWS\Lur.exe
O4 - HKCU\..\Run: [atipatxx] C:\WINDOWS\System32\atipatxx.exe
O4 - HKCU\..\Run: [Vld] C:\WINDOWS\Iar.exe
O4 - HKCU\..\Run: [Jdg] C:\WINDOWS\Pnj.exe
O4 - HKCU\..\Run: [Gfj] C:\WINDOWS\System32\Knp.exe
O4 - HKCU\..\Run: [Cct] C:\WINDOWS\Jlq.exe
O4 - HKCU\..\Run: [Pbj] C:\WINDOWS\Sik.exe
O4 - HKCU\..\Run: [Urt] C:\WINDOWS\Alr.exe
O4 - HKCU\..\Run: [Coc] C:\WINDOWS\System32\Hpa.exe
O4 - HKCU\..\Run: [Qvr] C:\WINDOWS\Mkk.exe
O4 - HKCU\..\Run: [Knj] C:\WINDOWS\Mll.exe
O4 - HKCU\..\Run: [Vfd] C:\WINDOWS\System32\Nol.exe
O4 - HKCU\..\Run: [Cpq] C:\WINDOWS\System32\Ivc.exe
O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c15.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com...ia/OTXMedia.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe (file missing)
Click on Fix Checked when finished and exit HijackThis.

Run Ad-aware se let remove all it finds

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Double click on the cwsserviceremove and when asked to merge say yes

Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINDOWS\System32\Services\{6C5DD71A-8034-4CF7-B497-138DC7DCAE60}\SVCHOST.EXE
C:\WINDOWS\System32\mszx23.exe
C:\DOCUME~1\Adam\LOCALS~1\Temp\se.dll/sp.html
C:\WINDOWS\System32\hmfdgj.dll
C:\WINDOWS\System32\R497p329.dll
C:\WINDOWS\System32\haelhl.exe
C:\Program Files\VVSN\VVSN.exe
C:\documents and settings\adam\local settings\temp\ouArQW.exe
C:\documents and settings\adam\local settings\temp\0peuGbPL.exe
C:\WINDOWS\System32\Cxe0o.exe
C:\WINDOWS\system32\epx.exe
C:\documents and settings\adam\local settings\temp\lm.exe
C:\documents and settings\adam\local settings\temp\enfE.exe
C:\WINDOWS\Lur.exe
C:\WINDOWS\System32\atipatxx.exe
C:\WINDOWS\System32\winldra.exe
C:\WINDOWS\Iar.exe
C:\WINDOWS\Pnj.exe
C:\WINDOWS\System32\Knp.exe
C:\WINDOWS\Jlq.exe
C:\WINDOWS\Sik.exe
C:\WINDOWS\Alr.exe
C:\WINDOWS\System32\Hpa.exe
C:\WINDOWS\Mkk.exe
C:\WINDOWS\Mll.exe
C:\WINDOWS\System32\Nol.exe
C:\WINDOWS\System32\Ivc.exe
c:\Program Files\Ddrz\Fkmnmwo.exe
c:\Program Files\Izwafyz\Jdnyjto.exe
C:\WINDOWS\System32\perfcl.exe
C:\WINDOWS\System32\Services\{6C5DD71A-8034-4CF7-B497-138DC7DCAE60}\SECURITY.EXE
C:\WINDOWS\sfita.exe
C:\WINDOWS\SYSTEM32\drct16.dll
Let the system reboot.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda, Ewido and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#5
Motor City's Finest
Posted 28 June 2005 - 02:11 PM

Motor City's Finest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
ok I did everything u told me to. my background is still not mine.


my new hijack log:


Logfile of HijackThis v1.99.1
Scan saved at 4:08:20 PM, on 6/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Adam\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Microsoft Outrunner H20] C:\WINDOWS\system32\Microsoft Outrunner\OUTRUNNER.exe /start
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Microsoft AntiSpyware helper - {1D021922-ACB6-45E2-B2E4-A63D1225AB68} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1D021922-ACB6-45E2-B2E4-A63D1225AB68} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A2D60B08-196A-4D91-A225-55A9607AFF4C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A2D60B08-196A-4D91-A225-55A9607AFF4C} - (no file) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {CA79D501-CD69-4F87-A0C0-56D51F799702} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CA79D501-CD69-4F87-A0C0-56D51F799702} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {F8948EC2-1D89-41F9-87E3-E4466472928A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F8948EC2-1D89-41F9-87E3-E4466472928A} - (no file) (HKCU)
O16 - DPF: {163ACFA8-CD79-0E4A-FDF9-2E18581561F0} - http://69.50.182.94/1/gdnUS1096.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)
O20 - Winlogon Notify: f3dsl - lsd_f3.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ntfs32 - C:\WINDOWS\SYSTEM32\ntfs32.dll
O21 - SSODL: Web Event Logger - {7CFBACFF-EE01-1231-ABDD-416592E5D639} - C:\WINDOWS\System32\Cnmfgnph.dll (file missing)
O21 - SSODL: xwjAsiJh - {6C5616BF-C6FC-BC15-55B6-26AE7FC10E31} - C:\WINDOWS\System32\ahob.dll (file missing)
O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

#6
Guest_thatman_*
Posted 28 June 2005 - 02:36 PM

Guest_thatman_*
  • Guest
Hi Motor City's Finest

Please read through the instructions before you start (you may want to print this out).

Please CLICK here and go to Save As (in Internet Explorer it's "Save Target As") in order to download Metallica’s reg file. Save it to your desktop.

Please set your system to show all files; please see here if you're unsure how to do this.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O9 - Extra button: Microsoft AntiSpyware helper - {1D021922-ACB6-45E2-B2E4-A63D1225AB68} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {1D021922-ACB6-45E2-B2E4-A63D1225AB68} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A2D60B08-196A-4D91-A225-55A9607AFF4C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A2D60B08-196A-4D91-A225-55A9607AFF4C} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {CA79D501-CD69-4F87-A0C0-56D51F799702} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CA79D501-CD69-4F87-A0C0-56D51F799702} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {F8948EC2-1D89-41F9-87E3-E4466472928A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F8948EC2-1D89-41F9-87E3-E4466472928A} - (no file) (HKCU)
O16 - DPF: {163ACFA8-CD79-0E4A-FDF9-2E18581561F0} - http://69.50.182.94/1/gdnUS1096.exe
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)
O20 - Winlogon Notify: f3dsl - lsd_f3.dll (file missing)
O20 - Winlogon Notify: ntfs32 - C:\WINDOWS\SYSTEM32\ntfs32.dll
O21 - SSODL: Web Event Logger - {7CFBACFF-EE01-1231-ABDD-416592E5D639} - C:\WINDOWS\System32\Cnmfgnph.dll (file missing)
O21 - SSODL: xwjAsiJh - {6C5616BF-C6FC-BC15-55B6-26AE7FC10E31} - C:\WINDOWS\System32\ahob.dll (file missing)
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe (file missing)
Click on Fix Checked when finished and exit HijackThis.

Now run Metallica’s reg file

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run CWShredder to fix your CWS problem.

Run AD-Aware se

Reboot as normal

This online scan you do need to run
Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda, Ewido HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#7
Motor City's Finest
Posted 28 June 2005 - 08:55 PM

Motor City's Finest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
the clicksearchclick seems to be gone, and everything seems to be in order, but my background is still gone. I've done all you said, but that one piece seems to still stay.

also my internet explorer icons are not working wen I click on them, I hav to go through my computer an type on the address bar.

heres my new log:



Logfile of HijackThis v1.99.1
Scan saved at 10:49:30 PM, on 6/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Adam\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Microsoft Outrunner H20] C:\WINDOWS\system32\Microsoft Outrunner\OUTRUNNER.exe /start
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

#8
Motor City's Finest
Posted 28 June 2005 - 09:49 PM

Motor City's Finest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I downloaded mozilla firefox, and I really like it, do I still need internet explorer? how do I go about getting rid of it? jus wanted to remind you my background is still gone.


my new log:


Logfile of HijackThis v1.99.1
Scan saved at 11:48:02 PM, on 6/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Adam\Desktop\hijackthis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Microsoft Outrunner H20] C:\WINDOWS\system32\Microsoft Outrunner\OUTRUNNER.exe /start
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

#9
Guest_thatman_*
Posted 29 June 2005 - 12:13 AM

Guest_thatman_*
  • Guest
Hi Motor City's Finest

Please read through the instructions before you start (you may want to print this out).

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Pocket Killbox and unzip it; save it to your Desktop.

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop. Don't run it yet!


Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first. Don't run yet.

Please set your system to show all files; please see here if you're unsure how to do this.

Download CWShredder (there is a link in my signature), unzip it, and save it on the Desktop. Please do not run it yet,

Reboot into Safe Mode: please see here if you are not sure how to do this.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)
O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe (file missing)
Click on Fix Checked when finished and exit HijackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run CWShredder to fix your CWS problem.

Run AD-Aware se

Reboot as normal

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda, Ewido HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#10
Motor City's Finest
Posted 29 June 2005 - 03:27 PM

Motor City's Finest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
ok, I got my background back!!!! thanks a bunch. I'm not sure if my comp is totally clear, but it seems to be real good. a quick question, since I have firefox, do I still internet explorer?


here my new hijack log:


Logfile of HijackThis v1.99.1
Scan saved at 11:48:02 PM, on 6/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Adam\Desktop\hijackthis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Microsoft Outrunner H20] C:\WINDOWS\system32\Microsoft Outrunner\OUTRUNNER.exe /start
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe




my ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:40:56 PM, 6/29/2005
+ Report-Checksum: D86E1C3A

+ Date of database: 6/28/2005
+ Version of scan engine: v3.0

+ Duration: 47 min
+ Scanned Files: 83254
+ Speed: 29.50 Files/Second
+ Infected files: 51
+ Removed files: 51
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352784.exe -> Spyware.PurityScan.w -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352785.reg -> Spyware.Hijacker.Generic -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352786.EXE -> Trojan.Delf.eb -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352787.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352788.scr -> TrojanDownloader.NSIS.gen -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352789.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352790.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352791.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352792.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352793.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352794.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352795.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352796.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352797.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352798.dll -> TrojanDownloader.Small.rr -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352799.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352800.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352801.exe -> TrojanDownloader.Vb.Cw -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352802.exe -> TrojanDownloader.Delf.fj -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352803.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352804.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352805.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352806.dll -> Spyware.Marketscore -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352807.exe -> TrojanSpy.Delf.eb -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352808.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352809.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352810.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352811.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352812.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352813.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352814.DLL -> Trojan.WebSearch.i -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352815.DLL -> Trojan.WebSearch.i -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352816.DLL -> Trojan.WebSearch.i -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352817.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352818.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352819.exe -> TrojanDownloader.Delf.fj -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352820.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0352821.exe -> TrojanDownloader.VB.em -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0353759.dll -> TrojanProxy.Agent.df -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0353760.dll -> TrojanSpy.Qukart.w -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0356758.dll -> Backdoor.Haxdoor.cn -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0357758.exe -> Backdoor.Haxdoor.cn -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0357760.sys -> Backdoor.Haxdoor.cn -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP605\A0357769.exe -> Backdoor.Haxdoor.cn -> Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP606\A0358769.dll -> Backdoor.Haxdoor.cn -> Cleaned without backup
C:\WINDOWS\SYSTEM32\cz.dll -> Backdoor.Haxdoor.cn -> Cleaned without backup
C:\WINDOWS\SYSTEM32\DRIVERS\wlan1934.sys -> Trojan.Ants -> Cleaned without backup
C:\WINDOWS\SYSTEM32\hz.sys -> Backdoor.Haxdoor.cn -> Cleaned without backup
C:\WINDOWS\SYSTEM32\vdmt16.sys -> Backdoor.Haxdoor.cn -> Cleaned without backup
C:\WINDOWS\SYSTEM32\winlow.sys -> Backdoor.Haxdoor.bb -> Cleaned without backup
C:\WINDOWS\SYSTEM32\wz.sys -> Backdoor.Haxdoor.bb -> Cleaned without backup


::Report End
  • 0

#11
Guest_thatman_*
Posted 29 June 2005 - 03:43 PM

Guest_thatman_*
  • Guest
Hi Motor City's Finest

Ie is part of window if you try to uninstall it you many problems with widows

Your HJT was clean

Please run one virus scan inline


Tern off sysrestore > defrag the hard drive >Turn system back on.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#12
Motor City's Finest
Posted 29 June 2005 - 03:54 PM

Motor City's Finest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
thanks for all your help.
  • 0

#13
Guest_thatman_*
Posted 05 July 2005 - 01:01 PM

Guest_thatman_*
  • Guest
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP