Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

PLEASE HELP ME...

Started by Jag8625 , Jun 29 2005 07:57 PM

  • Please log in to reply

#1
Jag8625
Posted 29 June 2005 - 07:57 PM

Jag8625

    Member

  • Member
  • PipPip
  • 11 posts
I have this virus that I got today downloading a software program my antivirus (Panda) protection catches it, neutralizes it, yet it wont go away. I run spybot it finds nothing, run adaware it finds something, it says its gone but it keeps coming back with each scan.
I then venture into the reg cleaner, simple it shows what you have and you see whats wierd. I delete a LOT of bs new stuff, its gone. Reset do it all again to find it back. I then go and disable the backup process for windows so that its not hiding in the back up folder but that has proven to be of no help. I then go into the actual registry go through a bunch of unknown things delete what I found to be bad through research yet I still cant fix it.
I am getting slow reaction, non stop popups and when I rt click I have no visable menu unless I scroll where it should be.. Im not sure what else I can say but if anyone can give hints, help, or whatever I would be much obliged.

First error in adaware
infected hkey local_Machine/ microsoft/windows/nt/currentversion/winlogon"Shell"

Had all these extra files
cache32_rtneg3 - Folder (keeps comming back)
creditcard32123123123asdsa.ico
greenmovie2313asaadsasfad112341231adsfa.ico
kill all spywareadsfadsf12.ico
pop up blaster12321312.ico

when I delete this R_rtneg from reg it comes back as well as this program called aurora

these are the viruses i have found
w32/sdbpt.ddp.worm
trj?downloader.czu
trj/imiserv.dexploit/byteverify

Edited by Jag8625, 29 June 2005 - 08:10 PM.

  • 0

Advertisements

#2
Michael
Posted 29 June 2005 - 08:05 PM

Michael

    Retired Staff

  • Retired Staff
  • 1,869 posts
I donot know what is your problem but an online virus scan might fix it. good luck with your computer and hope you get along with it better than I do with mine.
  • 0

#3
Jag8625
Posted 29 June 2005 - 08:11 PM

Jag8625

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
we use to get along but well this is all my fault. I found lots of viruses since you read the post...

just call me smart girl..
the sad part is I was fdownloading something to try and make me smarter.. HAHA!
  • 0

#4
Murray S.
Posted 29 June 2005 - 09:18 PM

Murray S.

    Trusted Tech

  • Member
  • PipPipPipPipPipPipPip
  • 4,513 posts
  • MVP
Howdy and welcome to G2G:

Try following the advice and instructions in This Thread !!

Murray
  • 0

#5
Jag8625
Posted 29 June 2005 - 09:44 PM

Jag8625

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
This is my ad-aware scan


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Wednesday, June 29, 2005 11:39:30 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R347 26.10.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file


06-29-2005 11:39:30 PM - Scan started. (Smart mode)

Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 06-30-2005 3:26:25 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 06-30-2005 3:26:30 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 06-30-2005 3:26:30 AM
BasePriority : Normal
FileSize : 105 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 08/23/2001 12:00:00 PM
Last accessed : 06/30/2005 2:52:35 AM
Last modified : 08/04/2004 7:56:55 AM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 06-30-2005 3:26:30 AM
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 08/23/2001 12:00:00 PM
Last accessed : 06/30/2005 2:52:35 AM
Last modified : 08/04/2004 7:56:50 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 06-30-2005 3:26:30 AM
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 08/23/2001 12:00:00 PM
Last accessed : 06/30/2005 2:52:37 AM
Last modified : 08/04/2004 7:56:57 AM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 06-30-2005 3:26:31 AM
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 08/23/2001 12:00:00 PM
Last accessed : 06/30/2005 2:52:37 AM
Last modified : 08/04/2004 7:56:57 AM

#:7 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 06-30-2005 3:26:32 AM
BasePriority : Normal
FileSize : 296 KB
FileVersion : 8.29
ProductVersion : 8.29
Copyright : © 1993 - 2003 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
OriginalFilename : LexBceS.exe
ProductName : MarkVision for Windows (32 bit)
Created on : 03/03/2004 3:06:09 AM
Last accessed : 06/30/2005 2:52:40 AM
Last modified : 08/18/2003 10:37:10 AM

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 06-30-2005 3:26:32 AM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 08/23/2001 12:00:00 PM
Last accessed : 06/30/2005 2:52:41 AM
Last modified : 08/04/2004 7:56:57 AM

#:9 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 06-30-2005 3:26:32 AM
BasePriority : Normal
FileSize : 170 KB
FileVersion : 8.29
ProductVersion : 8.29
Copyright : © 1993 - 2003 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
OriginalFilename : LEXPPS.EXE
ProductName : MarkVision for Windows (32 bit)
Created on : 03/03/2004 3:06:09 AM
Last accessed : 06/30/2005 2:52:40 AM
Last modified : 08/18/2003 10:32:56 AM

#:10 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\
ThreadCreationTime : 06-30-2005 3:26:34 AM
BasePriority : Normal
FileSize : 314 KB
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
OriginalFilename : mdm.exe
ProductName : Microsoft
Created on : 06/20/2003 4:25:00 AM
Last accessed : 06/30/2005 2:52:49 AM
Last modified : 06/20/2003 4:25:00 AM

#:11 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 06-30-2005 3:26:34 AM
BasePriority : Normal
FileSize : 76 KB
FileVersion : 6.14.10.5656
ProductVersion : 6.14.10.5656
Copyright : © NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 56.56
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 56.56
Created on : 02/04/2004 3:37:00 PM
Last accessed : 06/30/2005 2:52:49 AM
Last modified : 02/04/2004 3:37:00 PM

#:12 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 06-30-2005 3:26:34 AM
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 08/23/2001 12:00:00 PM
Last accessed : 06/30/2005 2:52:37 AM
Last modified : 08/04/2004 7:56:57 AM

#:13 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 06-30-2005 3:26:37 AM
BasePriority : Normal
FileSize : 1008 KB
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 03/05/2004 11:32:32 PM
Last accessed : 06/30/2005 3:27:28 AM
Last modified : 08/04/2004 7:56:49 AM

#:14 [apvxdwin.exe]
FilePath : C:\Program Files\Panda Software\Panda Antivirus Titanium\
ThreadCreationTime : 06-30-2005 3:26:38 AM
BasePriority : Normal
FileSize : 188 KB
FileVersion : 3.06.03
ProductVersion : 2.05.05
CompanyName : Panda Software International
FileDescription : ApVxdWin
InternalName : ApVxdWin.exe
OriginalFilename : ApVxdWin.exe
ProductName : Panda Antivirus Titanium
Created on : 03/06/2004 1:02:19 PM
Last accessed : 06/30/2005 3:36:22 AM
Last modified : 06/25/2003 11:59:12 PM

#:15 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ThreadCreationTime : 06-30-2005 3:26:38 AM
BasePriority : Normal
FileSize : 96 KB
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
OriginalFilename : QTTask.exe
ProductName : QuickTime
Created on : 02/21/2005 10:40:00 PM
Last accessed : 06/30/2005 3:26:38 AM
Last modified : 02/21/2005 10:40:00 PM

#:16 [issch.exe]
FilePath : C:\Program Files\Common Files\InstallShield\UpdateService\
ThreadCreationTime : 06-30-2005 3:26:38 AM
BasePriority : Normal
FileSize : 80 KB
FileVersion : 3, 10, 100, 1146
ProductVersion : 3, 10
Copyright : Copyright © 1990-2004 InstallShield Software Corporation
CompanyName : InstallShield Software Corporation
FileDescription : InstallShield Update Service Scheduler
InternalName : Scheduler
OriginalFilename : issch.exe
ProductName : InstallShield Update Service
Created on : 06/16/2004 11:03:04 AM
Last accessed : 06/30/2005 3:04:56 AM
Last modified : 06/16/2004 11:03:04 AM

#:17 [lsetnx.exe]
FilePath : c:\windows\system32\
ThreadCreationTime : 06-30-2005 3:26:39 AM
BasePriority : Normal
FileSize : 81 KB
FileVersion : 1, 1, 0, 3
ProductVersion : 0, 0, 7, 0
Created on : 06/03/2005 7:49:28 AM
Last accessed : 06/30/2005 3:26:39 AM
Last modified : 06/03/2005 7:49:28 AM

#:18 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ThreadCreationTime : 06-30-2005 3:31:57 AM
BasePriority : Normal
FileSize : 1654 KB
FileVersion : 4.7.3001
ProductVersion : Version 4.7.3001
Copyright : Copyright © Microsoft Corporation 2004
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 04/15/2003 12:30:14 AM
Last accessed : 06/30/2005 3:32:55 AM
Last modified : 10/13/2004 4:24:37 PM

#:19 [icqlite.exe]
FilePath : C:\Program Files\ICQLite\
ThreadCreationTime : 06-30-2005 3:34:59 AM
BasePriority : Normal
FileSize : 2835 KB
FileVersion : 20, 32, 2315, 0
ProductVersion : 20, 32, 2315, 0
Copyright : Copyright © 2002
CompanyName : ICQ Ltd.
FileDescription : ICQLite
InternalName : ICQ Lite
OriginalFilename : ICQLite.exe
ProductName : ICQLite
Created on : 09/10/2004 5:17:03 PM
Last accessed : 06/30/2005 3:34:59 AM
Last modified : 02/17/2005 4:37:36 PM

#:20 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 06-30-2005 3:35:17 AM
BasePriority : Normal
FileSize : 91 KB
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 03/05/2004 11:32:54 PM
Last accessed : 06/30/2005 3:35:17 AM
Last modified : 08/04/2004 7:56:50 AM

#:21 [pavsrv51.exe]
FilePath : C:\Program Files\Panda Software\Panda Antivirus Titanium\
ThreadCreationTime : 06-30-2005 3:36:59 AM
BasePriority : High
FileSize : 256 KB
FileVersion : 6.03.0.101
ProductVersion : 6.03
Copyright : Copyright
CompanyName : Panda Software
FileDescription : Panda Antivirus Service for Windows NT/2000
InternalName : pavsrv
OriginalFilename : pavsrv.exe
ProductName : Panda Antivirus
Created on : 03/06/2004 1:02:21 PM
Last accessed : 06/30/2005 3:36:42 AM
Last modified : 03/13/2002 2:17:22 PM

#:22 [avengine.exe]
FilePath : C:\Program Files\Panda Software\Panda Antivirus Titanium\
ThreadCreationTime : 06-30-2005 3:37:00 AM
BasePriority : Normal
FileSize : 108 KB
FileVersion : 6.03.0.100
ProductVersion : 6.03
Copyright : Copyright
CompanyName : Panda Software
FileDescription : Proceso an
InternalName : AVENGINE
OriginalFilename : AVENGINE.exe
ProductName : Panda Antivirus Windows NT/2000
Created on : 03/06/2004 1:02:19 PM
Last accessed : 06/30/2005 3:36:42 AM
Last modified : 03/07/2002 5:09:50 PM

#:23 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 06-30-2005 3:39:26 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 03/03/2004 3:24:30 AM
Last accessed : 06/30/2005 3:39:27 AM
Last modified : 07/13/2003 3:00:20 AM

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A}


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{d36f70b1-7df5-4fd4-a765-70ccc8f72cd7}


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{F3155057-4C2C-4078-8576-50486693FD49}


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : IMIToolbar.BottomFrame


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : IMIToolbar.BottomFrame.1


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : IMIToolbar.LeftFrame


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : IMIToolbar.LeftFrame.1


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : IMIToolbar.PopupBrowser


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : IMIToolbar.PopupBrowser.1


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : imitoolbar.popupwindow


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : imitoolbar.popupwindow.1


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{220959EA-B54C-4201-8DF2-1CFAC8B59FD7}


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{6A288140-3E1C-4CD9-AAC5-E20FDD4F5D64}


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{7371AD3F-C419-4DC0-8E8A-E21FAFAD53E0}


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{98B2DDBA-6DA2-4421-AF2B-814E98F53649}


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : wbho.band.1


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : wbho.band


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{01f44a8a-8c97-4325-a378-76e68dc4ab2e}


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : TYPELIB\{57add57b-173e-418a-8f70-17e5c9f2bcc9}


Other Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value : Win Server Updt


Windows Object recognized!
Type : RegData
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value : Shell
Data :


Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 22
Objects found so far: 22


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pagewebsearch.drsnsrch.com

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://websearch.drs...search.cgi?id="
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "http://websearch.drs...search.cgi?id="

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Barwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://websearch.drs...search.cgi?id="
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "http://websearch.drs...search.cgi?id="

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchURLwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "websearch.drsnsrch.com/q.cgi?q="
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\SearchURL
Value :
Data : "websearch.drsnsrch.com/q.cgi?q="

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pagewebsearch.drsnsrch.com

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://websearch.drs...search.cgi?id="
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "http://websearch.drs...search.cgi?id="

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Barwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://websearch.drs...search.cgi?id="
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "http://websearch.drs...search.cgi?id="

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistantwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://websearch.drs...search.cgi?id="
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "http://websearch.drs...search.cgi?id="

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchCustomizeSearchwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://websearch.drs...search.cgi?id="
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Value : CustomizeSearch
Data : "http://websearch.drs...search.cgi?id="


Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 7
Objects found so far: 29


ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ


Scanning Hosts file(C:\WINDOWS\system32\drivers\etc\hosts)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Hosts file scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
1 entries scanned.
New objects :0
Objects found so far: 29




Performing conditional scans..
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\intexp


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{3E589169-86AD-44FE-B426-F0BF105D5582}


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{E4458B4A-6149-4450-84F2-864ADB7E8C52}


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : Remove


ImIServer IEPlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E}


ImIServer IEPlugin Object recognized!
Type : File
Data : wupdt.exe
Object : c:\windows\
FileSize : 33 KB
Created on : 06/30/2005 3:15:04 AM
Last accessed : 06/30/2005 3:15:04 AM
Last modified : 06/28/2000 8:23:03 PM



ImIServer IEPlugin Object recognized!
Type : File
Data : lu.dat
Object : c:\windows\

Created on : 06/30/2005 3:18:16 AM
Last accessed : 06/30/2005 3:36:57 AM
Last modified : 06/30/2005 3:36:57 AM



ImIServer IEPlugin Object recognized!
Type : File
Data : redir.txt
Object : c:\windows\

Created on : 06/30/2005 3:15:05 AM
Last accessed : 06/30/2005 3:15:05 AM
Last modified : 06/30/2005 3:15:05 AM



Conditional scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 8
Objects found so far: 37


11:41:03 PM Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:01:32:473
Objects scanned :51073
Objects identified :37
Objects ignored :0
New objects :37
  • 0

#6
Jag8625
Posted 29 June 2005 - 09:51 PM

Jag8625

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
P.s

Im so sorry I am so rude.. Hello and thank you for my welcome.. I have been stressing with this for a few hours and getting a bit mad at it, I didnt intentionally mean to be so rude..

I have both spy-bot and ad-aware, however I have ad aware 6. I am reading the thread I SHOULD HAVE already of read..

BTW.. Thank you...

Edited by Jag8625, 29 June 2005 - 10:23 PM.

  • 0

#7
Murray S.
Posted 29 June 2005 - 10:14 PM

Murray S.

    Trusted Tech

  • Member
  • PipPipPipPipPipPipPip
  • 4,513 posts
  • MVP
You are very welcome.. Just as a sidenote, I have asked one of the Admin's to consider moving your post to the Malware Forum..

I think you would be better served in that forum considering your problem !!

Good luck..

Murray
  • 0

#8
Jag8625
Posted 29 June 2005 - 10:59 PM

Jag8625

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
:tazz:

Edited by Jag8625, 30 June 2005 - 01:22 PM.

  • 0

#9
Jag8625
Posted 30 June 2005 - 06:38 AM

Jag8625

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
:tazz: Thanks for moving my post to where it belongs.. Sorry im such a noob.. I found that I have some kind of Trojan as well as some kind of worm. Im not really sure but the ewido program keeps popping up with so many new things all the time.. It cleans them but I am still infected..

I would like to actually post what it has quarantined, but I cant seem to be able to get it to any kind of text file..

im not sure my next best move.. I can remove ewido and try another program.. Advice is always helpful..

I did a search on the "thing" than keeps comming up with ewido the search I did was for spyware.betterinternet. I came up with your forums as an answer but im not sure I should follow the exact directions.. this is the very first result for my search

http://www.geekstogo...ST&f=37&t=35511

Thanks in advance and already for all the help you have already given me...
(In safe Mode)
HiJackThis Log
Logfile of HijackThis v1.99.1
Scan saved at 9:56:52 AM, on 06/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Jag\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarest...es2/Install.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com...ideoControl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/t...nfo/webscan.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://playroom.icq....yssey_web11.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

this is the ewido scan

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:39:38 PM, 06/30/2005
+ Report-Checksum: A9E03AF0

+ Date of database: 06/30/2005
+ Version of scan engine: v3.0

+ Duration: 117 min
+ Scanned Files: 169743
+ Speed: 24.03 Files/Second
+ Infected files: 61
+ Removed files: 61
+ Files put in quarantine: 61
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Jag\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jag\Desktop\downloads\p2p[p2p-10546,de].exe -> Dialer.Generic -> Cleaned with backup
C:\Documents and Settings\Jag\Desktop\downloads\Worms2-dm.exe -> Spyware.Trymedia.a -> Cleaned with backup
C:\Documents and Settings\Jag\Desktop\downloads\WormsWorldParty-dm.exe -> Spyware.Trymedia.a -> Cleaned with backup
C:\Documents and Settings\Jag\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jag\Local Settings\Temp\Cookies\jag@burstnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jag\Local Settings\Temp\Cookies\jag@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jag\Local Settings\Temp\Cookies\jag@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jag\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jag\Local Settings\Temp\Cookies\jag@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jag\Local Settings\Temp\Cookies\jag@real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jag\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jag\Local Settings\Temp\DrTemp\aurora.exe -> Trojan.Spybi -> Cleaned with backup
C:\Documents and Settings\Jag\Shared\rosetta stone keygen\rosetta stone keygen.exe -> Spyware.HotSearchBar.d -> Cleaned with backup
C:\Documents and Settings\jesse\Cookies\jesse@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\jesse\Cookies\jesse@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\jesse\Cookies\jesse@bfast[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\jesse\Cookies\jesse@burstnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\jesse\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\jesse\Cookies\jesse@dcsu6l8hzhr53dm4881fz8oao_2e5h[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\jesse\Cookies\jesse@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\jesse\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\jesse\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\jesse\Cookies\jesse@hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\jesse\Cookies\jesse@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\jesse\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\jesse\Cookies\jesse@S144191[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\jesse\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\jesse\Cookies\jesse@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\jesse\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\0002D6\bb.exe -> Spyware.BargainBuddy.l -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\0006B9\~YG37.exe -> Dialer.Generic -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\djtopr1150.exe -> Spyware.Broadcap.a -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\jag@80570461[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\jag@9898577[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\jag@advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\jag@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\jag@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\jag@clickagents[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\jag@dcsi8dupuerp17vzhd59b2lwc_8u5u[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\jag@dcsw1tt43oifwzj4gwbpdjj8d_6q5q[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\jag@dcsx41mnd5twkf8wyp5mo4xok_6c8d[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\jag@doubleclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\jag@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\jag@gator[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\jag@marksandspencer[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\jag@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\jag@real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\jv16 PowerTools\Backups\001FC1\jag@zedo[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL -> Spyware.MyWay.j -> Cleaned with backup
C:\Program Files\MySearch\bar\1.bin\S42NS.EXE -> Spyware.MyWay.j -> Cleaned with backup
C:\WINDOWS\bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup


::Report End

HIJACKTHIS AFTER I DID SOME THINGS...
Logfile of HijackThis v1.99.1
Scan saved at 1:50:41 PM, on 06/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Jag\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com...ideoControl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/t...nfo/webscan.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://playroom.icq....yssey_web11.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

AD-Aware Log


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Thursday, June 30, 2005 1:52:51 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R347 26.10.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file


06-30-2005 1:52:51 PM - Scan started. (Smart mode)

Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 06-30-2005 4:41:59 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 06-30-2005 4:42:01 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 06-30-2005 4:42:01 PM
BasePriority : Normal
FileSize : 105 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 08/23/2001 12:00:00 PM
Last accessed : 06/30/2005 5:40:54 PM
Last modified : 08/04/2004 7:56:55 AM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 06-30-2005 4:42:01 PM
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 08/23/2001 12:00:00 PM
Last accessed : 06/30/2005 5:40:55 PM
Last modified : 08/04/2004 7:56:50 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 06-30-2005 4:42:02 PM
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 08/23/2001 12:00:00 PM
Last accessed : 06/30/2005 5:40:54 PM
Last modified : 08/04/2004 7:56:57 AM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 06-30-2005 4:42:02 PM
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 08/23/2001 12:00:00 PM
Last accessed : 06/30/2005 5:40:54 PM
Last modified : 08/04/2004 7:56:57 AM

#:7 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 06-30-2005 4:42:03 PM
BasePriority : Normal
FileSize : 296 KB
FileVersion : 8.29
ProductVersion : 8.29
Copyright : © 1993 - 2003 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
OriginalFilename : LexBceS.exe
ProductName : MarkVision for Windows (32 bit)
Created on : 03/03/2004 3:06:09 AM
Last accessed : 06/30/2005 5:40:55 PM
Last modified : 08/18/2003 10:37:10 AM

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 06-30-2005 4:42:03 PM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 08/23/2001 12:00:00 PM
Last accessed : 06/30/2005 5:40:56 PM
Last modified : 08/04/2004 7:56:57 AM

#:9 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 06-30-2005 4:42:03 PM
BasePriority : Normal
FileSize : 170 KB
FileVersion : 8.29
ProductVersion : 8.29
Copyright : © 1993 - 2003 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
OriginalFilename : LEXPPS.EXE
ProductName : MarkVision for Windows (32 bit)
Created on : 03/03/2004 3:06:09 AM
Last accessed : 06/30/2005 5:52:51 PM
Last modified : 08/18/2003 10:32:56 AM

#:10 [ewidoctrl.exe]
FilePath : C:\Program Files\ewido\security suite\
ThreadCreationTime : 06-30-2005 4:42:03 PM
BasePriority : Normal
FileSize : 16 KB
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
Copyright : Copyright
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
OriginalFilename : ewidoctrl.exe
ProductName : ewido control
Created on : 11/11/2004 11:53:03 PM
Last accessed : 06/30/2005 5:40:55 PM
Last modified : 11/11/2004 11:53:03 PM

#:11 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\
ThreadCreationTime : 06-30-2005 4:42:04 PM
BasePriority : Normal
FileSize : 314 KB
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
OriginalFilename : mdm.exe
ProductName : Microsoft
Created on : 06/20/2003 4:25:00 AM
Last accessed : 06/30/2005 5:40:55 PM
Last modified : 06/20/2003 4:25:00 AM

#:12 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 06-30-2005 4:42:04 PM
BasePriority : Normal
FileSize : 76 KB
FileVersion : 6.14.10.5656
ProductVersion : 6.14.10.5656
Copyright : © NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 56.56
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 56.56
Created on : 02/04/2004 3:37:00 PM
Last accessed : 06/30/2005 5:40:55 PM
Last modified : 02/04/2004 3:37:00 PM

#:13 [pavsrv51.exe]
FilePath : C:\Program Files\Panda Software\Panda Antivirus Titanium\
ThreadCreationTime : 06-30-2005 4:42:05 PM
BasePriority : High
FileSize : 256 KB
FileVersion : 6.03.0.101
ProductVersion : 6.03
Copyright : Copyright
CompanyName : Panda Software
FileDescription : Panda Antivirus Service for Windows NT/2000
InternalName : pavsrv
OriginalFilename : pavsrv.exe
ProductName : Panda Antivirus
Created on : 03/06/2004 1:02:21 PM
Last accessed : 06/30/2005 5:49:21 PM
Last modified : 03/13/2002 2:17:22 PM

#:14 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 06-30-2005 4:42:05 PM
BasePriority : Normal
FileSize : 14 KB
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 08/23/2001 12:00:00 PM
Last accessed : 06/30/2005 5:40:54 PM
Last modified : 08/04/2004 7:56:57 AM

#:15 [avengine.exe]
FilePath : C:\Program Files\Panda Software\Panda Antivirus Titanium\
ThreadCreationTime : 06-30-2005 4:42:05 PM
BasePriority : Normal
FileSize : 108 KB
FileVersion : 6.03.0.100
ProductVersion : 6.03
Copyright : Copyright
CompanyName : Panda Software
FileDescription : Proceso an
InternalName : AVENGINE
OriginalFilename : AVENGINE.exe
ProductName : Panda Antivirus Windows NT/2000
Created on : 03/06/2004 1:02:19 PM
Last accessed : 06/30/2005 5:52:51 PM
Last modified : 03/07/2002 5:09:50 PM

#:16 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 06-30-2005 4:43:20 PM
BasePriority : Normal
FileSize : 1008 KB
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 03/05/2004 11:32:32 PM
Last accessed : 06/30/2005 5:52:51 PM
Last modified : 08/04/2004 7:56:49 AM

#:17 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ThreadCreationTime : 06-30-2005 4:43:26 PM
BasePriority : Normal
FileSize : 96 KB
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
OriginalFilename : QTTask.exe
ProductName : QuickTime
Created on : 02/21/2005 10:40:00 PM
Last accessed : 06/30/2005 5:52:51 PM
Last modified : 02/21/2005 10:40:00 PM

#:18 [issch.exe]
FilePath : C:\Program Files\Common Files\InstallShield\UpdateService\
ThreadCreationTime : 06-30-2005 4:43:28 PM
BasePriority : Normal
FileSize : 80 KB
FileVersion : 3, 10, 100, 1146
ProductVersion : 3, 10
Copyright : Copyright © 1990-2004 InstallShield Software Corporation
CompanyName : InstallShield Software Corporation
FileDescription : InstallShield Update Service Scheduler
InternalName : Scheduler
OriginalFilename : issch.exe
ProductName : InstallShield Update Service
Created on : 06/16/2004 11:03:04 AM
Last accessed : 06/30/2005 5:52:51 PM
Last modified : 06/16/2004 11:03:04 AM

#:19 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ThreadCreationTime : 06-30-2005 4:55:01 PM
BasePriority : Normal
FileSize : 6696 KB
FileVersion : 7.0.0813
ProductVersion : 7.0.0813
Copyright : Copyright © Microsoft Corporation 1997-2005
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
OriginalFilename : msnmsgr.exe
ProductName : MSN Messenger
Created on : 04/27/2005 5:04:08 PM
Last accessed : 06/30/2005 4:55:05 PM
Last modified : 04/27/2005 5:04:08 PM

#:20 [ypager.exe]
FilePath : C:\Program Files\Yahoo!\Messenger\
ThreadCreationTime : 06-30-2005 4:58:18 PM
BasePriority : Normal
FileSize : 2444 KB
FileVersion : 6,0,0,1750
ProductVersion : 6,0,0,1750
Copyright : Copyright 1998-2004
CompanyName : Yahoo! Inc.
FileDescription : Yahoo! Messenger
InternalName : Yahoo! Messengerr
OriginalFilename : YPager.exe
ProductName : Yahoo! Messenger
Created on : 04/15/2004 11:52:58 PM
Last accessed : 06/30/2005 4:58:18 PM
Last modified : 08/06/2004 7:33:46 PM

#:21 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 06-30-2005 5:52:44 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 03/03/2004 3:24:30 AM
Last accessed : 06/30/2005 5:52:44 PM
Last modified : 07/13/2003 3:00:20 AM

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Windows Object recognized!
Type : RegData
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value : Shell
Data :


Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 1
Objects found so far: 1


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"


Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 1
Objects found so far: 2


ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ


Scanning Hosts file(C:\WINDOWS\system32\drivers\etc\hosts)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Hosts file scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
1 entries scanned.
New objects :0
Objects found so far: 2




Performing conditional scans..
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Conditional scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 2


1:54:17 PM Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:01:25:693
Objects scanned :50946
Objects identified :2
Objects ignored :0
New objects :2

Edited by Jag8625, 30 June 2005 - 11:54 AM.

  • 0

#10
Excal
Posted 01 July 2005 - 03:13 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Jag8625 and welcome to GeeksToGo! My name is Excal and I will be helping you.

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.


DOWNLOAD PROGRAMS

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.


THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Go to Start->Run and type in services.msc and hit OK. Then look for System Startup Service (SvcProc) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

5. Close all browsers, windows and unneeded programs.

6. Open HiJack and do a scan.

7. Put a Check next to the following items:

O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

8. click the Fix Checked box

9. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\svcproc.exe
C:\WINDOWS\system32\richedtr.dll

10. Run the program CleanUp!

11. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

12. Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

Advertisements

#11
Jag8625
Posted 01 July 2005 - 05:15 PM

Jag8625

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Excal...

Thank you again...

My computer is running fine and has been since I did some modifying of my own..
However I am still very much infected... Thank you though for asking!! :tazz:

I did what you said and here are my results..

ACTIVESCAN

Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\cache32_rtneg?
Adware:Adware/Gator No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Gain Publishing
Adware:Adware/MyWay No disinfected C:\Program Files\MySearch
Adware:Adware/nCase No disinfected Windows Registry
Adware:Adware/PowerScan No disinfected C:\Program Files\Power Scan
Adware:Adware/CWS No disinfected Windows Registry
Adware:Adware/WinTools No disinfected C:\Program Files\Common Files\WinTools
Adware:Adware/SideFind No disinfected Windows Registry
Adware:Adware/WhenUSearch No disinfected C:\Program Files\WhenUSearch
Spyware:Spyware/YourSiteBar No disinfected C:\Program Files\YourSiteBar
Adware:Adware/Aurora No disinfected Windows Registry
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\xehudko.exe My guess is I was already infected before just the other day!

Here is the Hi-Jack this Log

Logfile of HijackThis v1.99.1
Scan saved at 7:14:42 PM, on 07/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jag\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com...ideoControl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/t...nfo/webscan.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://playroom.icq....yssey_web11.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
  • 0

#12
Excal
Posted 01 July 2005 - 06:34 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Helping in chat ;)

:tazz:

Excal
  • 0

#13
Jag8625
Posted 02 July 2005 - 09:20 AM

Jag8625

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hey you again!

Ok so I did a bunch of stuff as you know from my updates reg to you.. lol..
But this is the new HIJACKTHIS LOG.. I am still infected with the savenow/adware trojan... I have been looking into it. Online active scan just found the one.. Ill post it too..

Logfile of HijackThis v1.99.1
Scan saved at 11:18:02 AM, on 07/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jag\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com...ideoControl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/t...nfo/webscan.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://playroom.icq....yssey_web11.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry

P>S

Thank you old wise one... The force is with you!! LOL
  • 0

#14
Excal
Posted 02 July 2005 - 12:40 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Try Spybot S&D

See if it might give u the registry entry :tazz:



Excal
  • 0

#15
Jag8625
Posted 02 July 2005 - 11:19 PM

Jag8625

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi all, Im new here and just recently have signed up to be a geek in training. What brought me here was my infected computer... I then realized what a cool and great thing you are doing for lots of noobs like me and how great it would be to learn and help others as well..
After reading lots and learning half a**ed logs I have cleared my poor infected pc mostly up.. Not to mention LOTS of help from Excal.. However neither of us can figure out where or how to get the last reg key out.

I run adware and get nothing.. same with spy bot.. same with my anti virus (panda titanium) But when I do the Free Active Online scan here http://www.pandasoft...com/activescan/
I get the one dreaded file... However it shows me no path.. All it says is
one file infected on the left the lil url that says adware.. on the right it says registry key and I click the url adware and just get this http://www.pandasoft...deteccion=27660
I have looked it up, went into my reg through regedit, used reg cleaners, and Im at a loss for my next step..

Here is my orginal Post
http://www.geekstogo...&st=0&p=205155


Sorry for the long post and thanks to anyone who can help in advanced..

Edited by Jag8625, 02 July 2005 - 11:22 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP