Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

i've tried it all [RESOLVED]

Started by FortySixandTwo , Jun 27 2005 12:25 PM

  • This topic is locked This topic is locked

#1
FortySixandTwo
Posted 27 June 2005 - 12:25 PM

FortySixandTwo

    Member

  • Member
  • PipPip
  • 11 posts
I have tried everything that you said to do before I posted. Still I can't seem to stop whatever it is that is slowing my computer down and causing virus detections to go off. Anytime a virus is detected, it says that cleaning, quarantining and deleting were all unsuccesful. any help will be greatly appreciated.
Here is my HiJackThis log

Logfile of HijackThis v1.99.1
Scan saved at 1:24:19 PM, on 6/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\ODI\OSTORE\BIN\OSSERVER.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\ATRACK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Adrock\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Open this PDF with PDFtypewriter - {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...514/mcfscan.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ObjectStore Server R4.0 - Object Design, Inc. - C:\ODI\OSTORE\BIN\OSSERVER.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements

#2
Trevuren
Posted 27 June 2005 - 12:39 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi FortySix andTwo, welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your problem.

Let's see if we can find out where this critter lives.

I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe. This scan only produces a report, it doesn't clean your system. I will analyze the report and recommend a course of action depending on the results.

Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C: (default is C:\Windows)
  • Registry
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items", please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.

Regards,

Trevuren
  • 0

#3
FortySixandTwo
Posted 28 June 2005 - 06:48 PM

FortySixandTwo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
thank you for the quick response.
ok i let the mwave run, and it found 84 viruses (although it looks like most of them were tagged "not-a-virus". anyway, here is the infected report only, like you asked.

File C:\WINDOWS\SYSTEM32\DRIVERS\SBCPHID.SYS tagged as not-a-virus:Garbage.Win32.Sbcphid. No Action Taken.
Object "Alexa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "MyBar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "BrowserPal Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Quicken Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "myway Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "PerfectNav Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CWS.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll". Action Taken: No Action Taken.
Entry "HKCR\AccAOL.AccessAOL" refers to invalid object "{1B28020D-9DE7-11D4-A2D4-001083025146}". Action Taken: No Action Taken.
Entry "HKCR\AccAOL.AccessAOL.1" refers to invalid object "{1B28020D-9DE7-11D4-A2D4-001083025146}". Action Taken: No Action Taken.
Entry "HKCR\AOL.MimeController" refers to invalid object "{E9DD2392-EF9B-4963-BEDF-F86C0A2B762A}". Action Taken: No Action Taken.
Entry "HKCR\AOL.MimeController.1" refers to invalid object "{E9DD2392-EF9B-4963-BEDF-F86C0A2B762A}". Action Taken: No Action Taken.
Entry "HKCR\AOL.PicEditCtrl" refers to invalid object "{E0CB08CE-AB3D-4779-9C77-62A439BFE6C3}". Action Taken: No Action Taken.
Entry "HKCR\AOL.PicEditCtrl.1" refers to invalid object "{E0CB08CE-AB3D-4779-9C77-62A439BFE6C3}". Action Taken: No Action Taken.
Entry "HKCR\AOL.UPFCtrl" refers to invalid object "{98BFD494-F6AD-4794-9038-832C0654CC43}". Action Taken: No Action Taken.
Entry "HKCR\AOL.UPFCtrl.1" refers to invalid object "{98BFD494-F6AD-4794-9038-832C0654CC43}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACApptTypeCombo" refers to invalid object "{CD34B69E-6117-4eaf-B5B4-F9FD659BF00D}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACApptTypeCombo.4" refers to invalid object "{CD34B69E-6117-4eaf-B5B4-F9FD659BF00D}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACCalendarDCtrl" refers to invalid object "{99720901-B635-43bd-83E6-D084A990F15A}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACCalendarDCtrl.4" refers to invalid object "{99720901-B635-43bd-83E6-D084A990F15A}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACCalendarListCtrl" refers to invalid object "{63603526-954A-42eb-8BEB-8E4BF2F636CB}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACCalendarListCtrl.4" refers to invalid object "{63603526-954A-42eb-8BEB-8E4BF2F636CB}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACColorPick" refers to invalid object "{51B21D54-F57F-4ca1-93FF-D986E9F0A388}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACColorPick.4" refers to invalid object "{51B21D54-F57F-4ca1-93FF-D986E9F0A388}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACDayBoxViewCtrl" refers to invalid object "{B4087707-EFB7-46C0-830E-714899CCE724}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACDayBoxViewCtrl.1" refers to invalid object "{B4087707-EFB7-46C0-830E-714899CCE724}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACDictionary" refers to invalid object "{4634A8A8-E78E-4fed-9751-52307590D7F1}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACDictionary.4" refers to invalid object "{4634A8A8-E78E-4fed-9751-52307590D7F1}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACEventConflictCtrl" refers to invalid object "{741506D7-C215-48A1-8211-4CEFF2E8FE2C}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACEventConflictCtrl.1" refers to invalid object "{741506D7-C215-48A1-8211-4CEFF2E8FE2C}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACMonthViewCtrl" refers to invalid object "{60A07B6D-B66C-4339-BD52-EC9520FDCE6A}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACMonthViewCtrl.4" refers to invalid object "{60A07B6D-B66C-4339-BD52-EC9520FDCE6A}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACMPickerCtrl" refers to invalid object "{3D48B387-E74A-4651-A2ED-7FC490964319}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACMPickerCtrl.4" refers to invalid object "{3D48B387-E74A-4651-A2ED-7FC490964319}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACToolBarCtrl" refers to invalid object "{F091791F-D50D-4ace-9D82-05C42DBB9897}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACToolBarCtrl.4" refers to invalid object "{F091791F-D50D-4ace-9D82-05C42DBB9897}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACTopToolBarCtrl" refers to invalid object "{C8B29238-05AD-421E-8B44-1C11C43FAE1C}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACTopToolBarCtrl.1" refers to invalid object "{C8B29238-05AD-421E-8B44-1C11C43FAE1C}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACWebDlgHelper" refers to invalid object "{9DC1221E-0B36-445a-A2D1-FCA92E502834}". Action Taken: No Action Taken.
Entry "HKCR\AolCalSvr.ACWebDlgHelper.4" refers to invalid object "{9DC1221E-0B36-445a-A2D1-FCA92E502834}". Action Taken: No Action Taken.
Entry "HKCR\Ares.AresPlayer" refers to invalid object "{4E97BE17-3300-4A4F-B380-5988DD771F1F}". Action Taken: No Action Taken.
Entry "HKCR\Ares.AresPlayer.1" refers to invalid object "{4E97BE17-3300-4A4F-B380-5988DD771F1F}". Action Taken: No Action Taken.
Entry "HKCR\AxTrack" refers to invalid object "{5145942E-41DF-4658-B7C4-089F48E84A75}". Action Taken: No Action Taken.
Entry "HKCR\AxTrack.CoAxTrack" refers to invalid object "{B9F3009B-976B-41C4-A992-229DCCF3367C}". Action Taken: No Action Taken.
Entry "HKCR\AxTrack.CoAxTrack.1" refers to invalid object "{B9F3009B-976B-41C4-A992-229DCCF3367C}". Action Taken: No Action Taken.
Entry "HKCR\AxTrack.CoAxTrackMk" refers to invalid object "{5145942E-41DF-4658-B7C4-089F48E84A75}". Action Taken: No Action Taken.
Entry "HKCR\AxTrack.CoAxTrackMk.1" refers to invalid object "{5145942E-41DF-4658-B7C4-089F48E84A75}". Action Taken: No Action Taken.
Entry "HKCR\CalPrinting.CalPrinter" refers to invalid object "{DF0E9111-01DF-11D5-BA23-001083780941}". Action Taken: No Action Taken.
Entry "HKCR\CalPrinting.CalPrinter.1" refers to invalid object "{DF0E9111-01DF-11D5-BA23-001083780941}". Action Taken: No Action Taken.
Entry "HKCR\CalPrinting.DataParser" refers to invalid object "{E5151CBE-F61D-11D4-BA21-001083780941}". Action Taken: No Action Taken.
Entry "HKCR\CalPrinting.DataParser.1" refers to invalid object "{E5151CBE-F61D-11D4-BA21-001083780941}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControl.CddbTrackManager" refers to invalid object "{00014C0D-B007-4448-B89B-4EC3E857961D}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControl.CddbTrackManager.1" refers to invalid object "{00014C0D-B007-4448-B89B-4EC3E857961D}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.CDDBAOLControl.1" refers to invalid object "{229b78d5-38f5-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.CDDBControl" refers to invalid object "{229b78d5-38f5-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.CddbCredit" refers to invalid object "{229b78e2-38f5-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.CddbCredit.1" refers to invalid object "{229b78e2-38f5-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.CddbDisc" refers to invalid object "{229b78d5-38f5-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.CddbDisc.1" refers to invalid object "{229b78d5-38f5-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.CddbFullName.1" refers to invalid object "{229b78e1-38f5-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.CddbID3Tag" refers to invalid object "{bc8a96c6-3909-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.CddbID3Tag.1" refers to invalid object "{bc8a96c6-3909-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.CddbID3TagManager" refers to invalid object "{bc8a96c5-3909-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.CddbID3TagManager.1" refers to invalid object "{bc8a96c5-3909-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.CddbInfoWindow" refers to invalid object "{bc8a96c7-3909-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.CddbInfoWindow.1" refers to invalid object "{bc8a96c7-3909-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.CddbSegment" refers to invalid object "{229b78df-38f5-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.CddbSegment.1" refers to invalid object "{229b78df-38f5-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.CddbUIOptions" refers to invalid object "{bc8a96c8-3909-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.CddbUIOptions.1" refers to invalid object "{bc8a96c8-3909-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.CddbURL" refers to invalid object "{229b78e0-38f5-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.CddbURL.1" refers to invalid object "{229b78e0-38f5-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.CddbURLManager" refers to invalid object "{bc8a96c4-3909-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.CddbURLManager.1" refers to invalid object "{bc8a96c4-3909-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlAOL.FullName" refers to invalid object "{229b78e1-38f5-11d5-9001-00c04f4c3b9f}". Action Taken: No Action Taken.
Entry "HKCR\Cerberus.CerberusCDPlayer" refers to invalid object "{5788DAE8-4B72-4BE6-89A0-1E6123E4CBC2}". Action Taken: No Action Taken.
Entry "HKCR\Cerberus.CerberusCDPlayer.1" refers to invalid object "{5788DAE8-4B72-4BE6-89A0-1E6123E4CBC2}". Action Taken: No Action Taken.
Entry "HKCR\CTABridge.CCtaBridge" refers to invalid object "{250B0184-3052-4EFB-AAA7-24429B8C0627}". Action Taken: No Action Taken.
Entry "HKCR\CTABridge.CCtaBridge.1" refers to invalid object "{250B0184-3052-4EFB-AAA7-24429B8C0627}". Action Taken: No Action Taken.
Entry "HKCR\Ebrowser.FatWallet" refers to invalid object "{E13046F7-A5DF-4574-BD7A-6DC12EC10FF5}". Action Taken: No Action Taken.
Entry "HKCR\Ebrowser.FatWallet.1" refers to invalid object "{E13046F7-A5DF-4574-BD7A-6DC12EC10FF5}". Action Taken: No Action Taken.
Entry "HKCR\G2p.migrate" refers to invalid object "{22803C10-1FD3-11D5-BE64-001083023C0D}". Action Taken: No Action Taken.
Entry "HKCR\G2p.migrate.1" refers to invalid object "{22803C10-1FD3-11D5-BE64-001083023C0D}". Action Taken: No Action Taken.
Entry "HKCR\IE_NDS.RecStream" refers to invalid object "{6EDA439D-F7C7-11d4-8A20-001083023C0D}". Action Taken: No Action Taken.
Entry "HKCR\IE_NDS.RecStream.1" refers to invalid object "{6EDA439D-F7C7-11d4-8A20-001083023C0D}". Action Taken: No Action Taken.
Entry "HKCR\IE_NDS.StorFile" refers to invalid object "{5696745A-F3BD-11D4-8A1D-001083023C0D}". Action Taken: No Action Taken.
Entry "HKCR\IE_NDS.StorFile.1" refers to invalid object "{5696745A-F3BD-11D4-8A1D-001083023C0D}". Action Taken: No Action Taken.
Entry "HKCR\IE_NDS.StorStream" refers to invalid object "{6833E600-F6D8-11D4-8A1F-001083023C0D}". Action Taken: No Action Taken.
Entry "HKCR\IE_NDS.StorStream.1" refers to invalid object "{6833E600-F6D8-11D4-8A1F-001083023C0D}". Action Taken: No Action Taken.
Entry "HKCR\MIMEHook.CoMIMEHook" refers to invalid object "{8BBDA254-CE76-11D3-A2CE-00108335731F}". Action Taken: No Action Taken.
Entry "HKCR\MIMEHook.CoMIMEHook.1" refers to invalid object "{8BBDA254-CE76-11D3-A2CE-00108335731F}". Action Taken: No Action Taken.
Entry "HKCR\MIMEHook.CoMIMESink" refers to invalid object "{80373D03-D993-11D3-A2CE-00108335731F}". Action Taken: No Action Taken.
Entry "HKCR\MIMEHook.CoMIMESink.1" refers to invalid object "{80373D03-D993-11D3-A2CE-00108335731F}". Action Taken: No Action Taken.
Entry "HKCR\MiniBugTransporter.MiniBugTransporterX" refers to invalid object "{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}". Action Taken: No Action Taken.
Entry "HKCR\MiniBugTransporter.MiniBugTransporterX.1" refers to invalid object "{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}". Action Taken: No Action Taken.
Entry "HKCR\Pathfinder.PathfinderDownload" refers to invalid object "{1167C47F-01F9-4C08-8564-1D6C9BAAFB60}". Action Taken: No Action Taken.
Entry "HKCR\Pathfinder.PathfinderDownload.1" refers to invalid object "{1167C47F-01F9-4C08-8564-1D6C9BAAFB60}". Action Taken: No Action Taken.
Entry "HKCR\Phobos.Engine_Ares" refers to invalid object "{E981D791-F499-4837-A483-5AB22F1C548F}". Action Taken: No Action Taken.
Entry "HKCR\Phobos.Engine_Ares.1" refers to invalid object "{E981D791-F499-4837-A483-5AB22F1C548F}". Action Taken: No Action Taken.
Entry "HKCR\Phobos.Engine_Cerberus" refers to invalid object "{EB511AE4-87FE-4EFB-91A3-428B2F2601F7}". Action Taken: No Action Taken.
Entry "HKCR\Phobos.Engine_Cerberus.1" refers to invalid object "{EB511AE4-87FE-4EFB-91A3-428B2F2601F7}". Action Taken: No Action Taken.
Entry "HKCR\Phobos.Engine_Real" refers to invalid object "{205D2DFB-BBAD-4DC4-A0BB-CDA12A1639CE}". Action Taken: No Action Taken.
Entry "HKCR\Phobos.Engine_Real.1" refers to invalid object "{205D2DFB-BBAD-4DC4-A0BB-CDA12A1639CE}". Action Taken: No Action Taken.
Entry "HKCR\Phobos.Engine_Winamp" refers to invalid object "{AED456C4-4866-4420-863F-35767EBED514}". Action Taken: No Action Taken.
Entry "HKCR\Phobos.Engine_Winamp.1" refers to invalid object "{AED456C4-4866-4420-863F-35767EBED514}". Action Taken: No Action Taken.
Entry "HKCR\Phobos.Engine_WMP" refers to invalid object "{D465B936-C361-4417-9AC5-35167066F84B}". Action Taken: No Action Taken.
Entry "HKCR\Phobos.Engine_WMP.1" refers to invalid object "{D465B936-C361-4417-9AC5-35167066F84B}". Action Taken: No Action Taken.
Entry "HKCR\Phobos.Phobos" refers to invalid object "{D9F99C6B-A3A6-11D4-AF64-444553546170}". Action Taken: No Action Taken.
Entry "HKCR\Phobos.Phobos.1" refers to invalid object "{D9F99C6B-A3A6-11D4-AF64-444553546170}". Action Taken: No Action Taken.
Entry "HKCR\Phobos.Player" refers to invalid object "{7C9688C3-7279-474D-ABA5-A632373D2CDB}". Action Taken: No Action Taken.
Entry "HKCR\Phobos.Player.1" refers to invalid object "{7C9688C3-7279-474D-ABA5-A632373D2CDB}". Action Taken: No Action Taken.
Entry "HKCR\Phobos.Playlist" refers to invalid object "{A105BD70-BF56-4D10-BC91-41C88321F47C}". Action Taken: No Action Taken.
Entry "HKCR\Phobos.Playlist.1" refers to invalid object "{A105BD70-BF56-4D10-BC91-41C88321F47C}". Action Taken: No Action Taken.
Entry "HKCR\Phobos.SupportedType" refers to invalid object "{639A19DD-1D97-4A6E-A0D1-01E04FED563F}". Action Taken: No Action Taken.
Entry "HKCR\Phobos.SupportedType.1" refers to invalid object "{639A19DD-1D97-4A6E-A0D1-01E04FED563F}". Action Taken: No Action Taken.
Entry "HKCR\Phobos.Track" refers to invalid object "{B4F80028-5714-4B7B-B9B1-5748B204799A}". Action Taken: No Action Taken.
Entry "HKCR\Phobos.Track.1" refers to invalid object "{B4F80028-5714-4B7B-B9B1-5748B204799A}". Action Taken: No Action Taken.
Entry "HKCR\SA.DataCache" refers to invalid object "{10F34E64-BBB2-11D6-8A17-00E029570A3E}". Action Taken: No Action Taken.
Entry "HKCR\SA.DataCache.1" refers to invalid object "{10F34E64-BBB2-11D6-8A17-00E029570A3E}". Action Taken: No Action Taken.
Entry "HKCR\SA.SATBMgr" refers to invalid object "{8AB5F344-B600-11D6-8A15-00E029570A3E}". Action Taken: No Action Taken.
Entry "HKCR\SA.SATBMgr.1" refers to invalid object "{8AB5F344-B600-11D6-8A15-00E029570A3E}". Action Taken: No Action Taken.
Entry "HKCR\Sb.SuperBuddy" refers to invalid object "{189504B8-50D1-4AA8-B4D6-95C8F58A6414}". Action Taken: No Action Taken.
Entry "HKCR\Sb.SuperBuddy.1" refers to invalid object "{189504B8-50D1-4AA8-B4D6-95C8F58A6414}". Action Taken: No Action Taken.
Entry "HKCR\WinAmpX.IWinAmpActiveX" refers to invalid object "{C28BC286-884C-4a63-8A9C-6F7F5711034F}". Action Taken: No Action Taken.
Entry "HKCR\WinAmpX.IWinAmpActiveX.1" refers to invalid object "{C28BC286-884C-4a63-8A9C-6F7F5711034F}". Action Taken: No Action Taken.
Entry "HKCR\WinAmpXChat.IWinAmpActiveXChat" refers to invalid object "{E3852604-B619-11d6-94EC-00047521F020}". Action Taken: No Action Taken.
Entry "HKCR\WinAmpXChat.IWinAmpActiveXChat.1" refers to invalid object "{E3852604-B619-11d6-94EC-00047521F020}". Action Taken: No Action Taken.
Entry "HKCR\YGPPicInfo.IImageInfo" refers to invalid object "{AD41621C-A2DD-487D-A24B-8BE40116A5A3}". Action Taken: No Action Taken.
Entry "HKCR\YGPPicInfo.IImageInfo.1" refers to invalid object "{AD41621C-A2DD-487D-A24B-8BE40116A5A3}". Action Taken: No Action Taken.
Entry "HKCR\YGPPicInfo.PictureInfo" refers to invalid object "{943742F6-3A40-43FF-97F4-A1750D97B200}". Action Taken: No Action Taken.
Entry "HKCR\YGPPicInfo.PictureInfo.1" refers to invalid object "{943742F6-3A40-43FF-97F4-A1750D97B200}". Action Taken: No Action Taken.
Entry "HKCR\YGPPicInfo.PictureInfos" refers to invalid object "{84CBABC2-D3BE-4EEF-8394-121FAC215CEF}". Action Taken: No Action Taken.
Entry "HKCR\YGPPicInfo.PictureInfos.1" refers to invalid object "{84CBABC2-D3BE-4EEF-8394-121FAC215CEF}". Action Taken: No Action Taken.
File C:\WINDOWS\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\System32\SCCD3X01.DLL tagged as not-a-virus:Garbage.Win32.Sbcphid. No Action Taken.
File C:\WINDOWS\system32\SCCD3X01.DLL tagged as not-a-virus:Garbage.Win32.Sbcphid. No Action Taken.
File C:\WINDOWS\system32\Macromed\Shockwave 8\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Adrock\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0E.dat tagged as "not-a-virus:AdWare.WildTangent.b". Action Taken: No Action Taken.
File C:\Documents and Settings\Adrock\.jpi_cache\jar\1.0\ar3.jar-13861c29-63a50494.zip infected by "Trojan.Java.ClassLoader.k" Virus! Action Taken: No Action Taken.
File C:\Program Files\Yahoo!\GetYahoo\EncWar\Program\IE_Type.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Yahoo!\GetYahoo\EncWar\Program\YDetect_Inst.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Yahoo!\GetYahoo\EncWar\Program\Install\Messenger\pager-ie.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Yahoo!\GetYahoo\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Internet Tools 2003\QWS\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\ESPNMotion\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\DIGStream\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Music Alarm Clock\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\InCtrl5\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\KaZaA\My Shared Folder\kmd171_en.exe tagged as "not-a-virus:AdWare.Cydoor". Action Taken: No Action Taken.
File C:\Program Files\KaZaA\My Shared Folder\moisdne.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\KaZaA\My Shared Folder\LemonadeTycoon.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\KaZaA\My Shared Folder\ProBassFishing.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\KaZaA\My Shared Folder\Scrabblev2b.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\AIM95\Unwise32.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\UltimateBet\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\BitTorrent\uninstall.exe tagged as not-a-virus:Tool.Win32.Processor.1001. No Action Taken.
File C:\Program Files\Lavasoft\Ad-Aware SE Personal\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\audio\rebirth2\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\netprograms\BSINSTALL.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\netprograms\d3DNA_BaseStation_P0_090.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\netprograms\DivX502Bundle.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\netprograms\GPDemo.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\netprograms\Install_AIM_np.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\netprograms\macsetup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\netprograms\Morph20.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\netprograms\newernewshit\GDiVX1.9.9.6.exe tagged as "not-a-virus:AdWare.ToolBar.GigatechSuperBar". Action Taken: No Action Taken.
File D:\netprograms\newernewshit\Install_AIM_np.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\netprograms\newernewshit\SinglesEidosUSTV.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\netprograms\newernewshit\zlsSetup_50_590_015.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\netprograms\newernewshit\zlsSetup_50_590_043.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\netprograms\newernewshit\zlsSetup_51_011.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\netprograms\nsis198.exe tagged as "not-a-virus:AdWare.MetaDirect.a". Action Taken: No Action Taken.
File D:\netprograms\USArmy\ArmyOpsRecon101.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\netprograms\zaSetup3125.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\netprograms\zaSetup_1025.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\netprograms\zaSetup_37_143.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\netprograms\zonalm2601.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\random\PhotoJam3.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\random\rb201update.zip tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\random\Rebirth_RB338 v2.01+ Addons - Radium.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\rebirth\Rebirth 2.0 Addons\setupad1.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\rebirth\Rebirth_RB338_v201_Setup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\system32\SCCD3X01.DLL tagged as not-a-virus:Garbage.Win32.Sbcphid. No Action Taken.
File C:\WINDOWS\system32\Macromed\Shockwave 8\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Adrock\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0E.dat tagged as "not-a-virus:AdWare.WildTangent.b". Action Taken: No Action Taken.
File C:\Documents and Settings\Adrock\.jpi_cache\jar\1.0\ar3.jar-13861c29-63a50494.zip infected by "Trojan.Java.ClassLoader.k" Virus! Action Taken: No Action Taken.
File C:\Program Files\Yahoo!\GetYahoo\EncWar\Program\IE_Type.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Yahoo!\GetYahoo\EncWar\Program\YDetect_Inst.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Yahoo!\GetYahoo\EncWar\Program\Install\Messenger\pager-ie.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Yahoo!\GetYahoo\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Internet Tools 2003\QWS\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\ESPNMotion\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\DIGStream\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Music Alarm Clock\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\InCtrl5\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\KaZaA\My Shared Folder\kmd171_en.exe tagged as "not-a-virus:AdWare.Cydoor". Action Taken: No Action Taken.
File C:\Program Files\KaZaA\My Shared Folder\moisdne.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\KaZaA\My Shared Folder\LemonadeTycoon.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\KaZaA\My Shared Folder\ProBassFishing.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\KaZaA\My Shared Folder\Scrabblev2b.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\AIM95\Unwise32.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\UltimateBet\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\BitTorrent\uninstall.exe tagged as not-a-virus:Tool.Win32.Processor.1001. No Action Taken.
File C:\Program Files\Lavasoft\Ad-Aware SE Personal\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
  • 0

#4
Trevuren
Posted 28 June 2005 - 07:08 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We are going to be going through a few scans.

1. Download, install, update, configure and run the most current versins of Ad-Aware and Spybot as per the instructions provided and the bottom of my post in my signature pane.

2. I want you to download and run a free trial version of an anti-trojan program called Trojan Hunter: Trojan Hunter . Let it scan your whole system and remove anything it finds.

REBOOT your system.

3. Please go to this site, register and where they ask for a corporatin name just put anything.

Let the program scan your full system and delete everything it finds. If there is a report available please submit it in your next reply.

4. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren
  • 0

#5
FortySixandTwo
Posted 29 June 2005 - 09:28 AM

FortySixandTwo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
so i ran spybot and ad-aware, and they deleted something by the name of Alexa.
I then ran TrojanHunter, but it didnt find anything, which was weird because Mwave had said i was infected by trojans. however, i ran Kaspersky and it found 2 trojans, but it wouldnt let me delete them. So I then used Trojanhunter again but only to scan the folder that Kaspersky said the Trojans were in, but still nothing. So i went to Windows Explorer and deleted the zip file that it said the trojan was in.

Here is my Kaspersky report:

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Wednesday, June 29, 2005 10:07:10
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 29/06/2005
Kaspersky Anti-Virus database records: 128189
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 98246
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 6455 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Adrock\.jpi_cache\jar\1.0\ar3.jar-13861c29-63a50494.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k
C:\Documents and Settings\Adrock\.jpi_cache\jar\1.0\ar3.jar-13861c29-63a50494.zip Infected: Trojan.Java.ClassLoader.k

Scan process completed.



and finally, here is my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 10:20:21 AM, on 6/29/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\ODI\OSTORE\BIN\OSSERVER.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\ATRACK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Documents and Settings\Adrock\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Open this PDF with PDFtypewriter - {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119898526577
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...514/mcfscan.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ObjectStore Server R4.0 - Object Design, Inc. - C:\ODI\OSTORE\BIN\OSSERVER.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe

your help is greatly appreciated. this is the first time i've been infected by anything in almost 8 years, and as an IT person it's really bugging me that I can't fix it.
  • 0

#6
Trevuren
Posted 29 June 2005 - 10:11 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
That looks pretty clean. You could however do with a bit of a registry cleanup. There appear to be a lot of orphaned registry entries. We need to do a bit of a cleanup of your HJT log. This won't solve your problem though. It may have been the Alexa thing. It is a good one to not have on your machine. You should also uograde to at least SP1A as soon as possible. Windows is porous enough even when updated. You appear to love living dangerously.

First we need to make all files and folders VISIBLE:

Go to start>control panel>folder options>view (tab)
*choose to "show hidden files and folders,"
*uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
*Close the window with ok
*All hidden files will now be visible

Please RUN HijackThis.
. Click the SCAN button to produce a log.

Place a check mark beside each one of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

The following items are Optional removal items. Removing them from startup should enhance the performance of your system:

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe


Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

How to use the F8 method to Start Your Computer in Safe Mode

*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.


Using Windows Explorer, locate the following folder, and DELETE it with all its content (if it still present):

C:\Program Files\LimeShop

Exit Explorer, and REBOOT BACK INTO NORMAL MODE

Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now.


Before posting, give your system a run and see if there is any improvement.

Regards,

Trevuren
  • 0

#7
FortySixandTwo
Posted 29 June 2005 - 10:03 PM

FortySixandTwo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
first of all, id like to thank you again for the help.
so i did everything you asked, and the comp. seems to be running a tad smoother, although its hard to really tell yet.
and as far as the service pack 1, i went to download it and it said my key was invalid, since i got a copy of windows xp pro back in college.
so now i want to revert to the copy of XP home that came with my computer, but I can't find the disc or Product key anywhere. any ideas as to where I could obtain it?
my comp is a sony vaio, and I doubt sony keeps records of any of that.
i would really like to get service packs, but i dont have the money to buy windows, and it came on my computer so i should have a valid product key floating around.

anyway, here is my hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 10:54:01 PM, on 6/29/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\ODI\OSTORE\BIN\OSSERVER.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\ATRACK.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Documents and Settings\Adrock\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Open this PDF with PDFtypewriter - {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119898526577
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...514/mcfscan.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ObjectStore Server R4.0 - Object Design, Inc. - C:\ODI\OSTORE\BIN\OSSERVER.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
  • 0

#8
Trevuren
Posted 30 June 2005 - 10:45 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Open HJT, SCAN and place a checkmark beside the following entry:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

With all windows closed, click Fix checked and EXIT the program.

2. REBOOT your system.

3. Run HJT and post a final log for review.

Regards,

Trevuren
  • 0

#9
FortySixandTwo
Posted 30 June 2005 - 02:05 PM

FortySixandTwo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ok, here is the latest hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 3:04:10 PM, on 6/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\ODI\OSTORE\BIN\OSSERVER.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\ATRACK.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Adrock\Desktop\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Open this PDF with PDFtypewriter - {B5EE1724-E26C-4431-A8F3-96FC5FE55CA1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119898526577
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...514/mcfscan.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Client Firewall Service (NISSERV) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
O23 - Service: Symantec Client Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ObjectStore Server R4.0 - Object Design, Inc. - C:\ODI\OSTORE\BIN\OSSERVER.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Client Firewall Proxy Service (SymPxSvc) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
  • 0

#10
Trevuren
Posted 30 June 2005 - 05:52 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE
1. Right-click "My Computer", and then left click "Properties".
2. Left click on "System Restore Tab"
3. Check box beside "Turn Off System Restore"
4. Left click on "Apply"

TO ENABLE SYSTEM RESTORE
1.Remove check mark from "Turn Off System Restore"
2.Click on "Apply"

2. Cleanup the leftovers. Download CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.


3. Finally, Re-hide your System Files and Folders to prevent any future accidents.


Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)

Regards,

Trevuren
  • 0

#11
Trevuren
Posted 01 July 2005 - 01:05 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP