Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

StartPage Trojan [CLOSED]

Started by Dreyc , Jul 11 2005 05:59 AM

  • This topic is locked This topic is locked

#1
Dreyc
Posted 11 July 2005 - 05:59 AM

Dreyc

    New Member

  • Member
  • Pip
  • 6 posts
Well I tried. I used all the tools in one of the posties above. Now none of my IE settings are saved, the computer randomly restarts, I've lost the Windows XP display options (only allowed to have classic now), it still tries to close my window, and still sets my home page to about:blank. Please help. Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 4:46:59 AM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\mspp32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dreyc Hawking\Desktop\Online Services\SpywareMalware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nsxlc.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nsxlc.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nsxlc.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nsxlc.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nsxlc.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nsxlc.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8l.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {150875DE-94E1-E8C9-27DC-1267DD628704} - C:\WINDOWS\apixg.dll
O2 - BHO: Class - {FBED823A-D55D-5FC4-3371-07A8B14B3237} - C:\WINDOWS\sdkxp.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [mspp32.exe] C:\WINDOWS\system32\mspp32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [iebi32.exe] C:\WINDOWS\iebi32.exe
O4 - HKLM\..\RunOnce: [netty.exe] C:\WINDOWS\netty.exe
O4 - HKLM\..\RunOnce: [d3mm32.exe] C:\WINDOWS\system32\d3mm32.exe
O4 - HKLM\..\RunOnce: [adddo32.exe] C:\WINDOWS\adddo32.exe
O4 - HKLM\..\RunOnce: [d3we.exe] C:\WINDOWS\system32\d3we.exe
O4 - HKLM\..\RunOnce: [ipch32.exe] C:\WINDOWS\ipch32.exe
O4 - HKLM\..\RunOnce: [ieln.exe] C:\WINDOWS\system32\ieln.exe
O4 - HKLM\..\RunOnce: [sdkyh32.exe] C:\WINDOWS\sdkyh32.exe
O4 - HKLM\..\RunOnce: [ieif.exe] C:\WINDOWS\system32\ieif.exe
O4 - HKLM\..\RunOnce: [wintb.exe] C:\WINDOWS\system32\wintb.exe
O4 - HKLM\..\RunOnce: [appkp32.exe] C:\WINDOWS\system32\appkp32.exe
O4 - HKLM\..\RunOnce: [d3pj.exe] C:\WINDOWS\system32\d3pj.exe
O4 - HKLM\..\RunOnce: [atltt.exe] C:\WINDOWS\system32\atltt.exe
O4 - HKLM\..\RunOnce: [d3eg.exe] C:\WINDOWS\d3eg.exe
O4 - HKLM\..\RunOnce: [netji32.exe] C:\WINDOWS\system32\netji32.exe
O4 - HKLM\..\RunOnce: [ntuu.exe] C:\WINDOWS\system32\ntuu.exe
O4 - HKLM\..\RunOnce: [iegb32.exe] C:\WINDOWS\system32\iegb32.exe
O4 - HKLM\..\RunOnce: [ntxl.exe] C:\WINDOWS\system32\ntxl.exe
O4 - HKLM\..\RunOnce: [atlcf32.exe] C:\WINDOWS\system32\atlcf32.exe
O4 - HKLM\..\RunOnce: [syssp.exe] C:\WINDOWS\system32\syssp.exe
O4 - HKLM\..\RunOnce: [msdt32.exe] C:\WINDOWS\msdt32.exe
O4 - HKLM\..\RunOnce: [ntin.exe] C:\WINDOWS\ntin.exe
O4 - HKLM\..\RunOnce: [iesw.exe] C:\WINDOWS\system32\iesw.exe
O4 - HKLM\..\RunOnce: [iesw32.exe] C:\WINDOWS\system32\iesw32.exe
O4 - HKLM\..\RunOnce: [sdkln32.exe] C:\WINDOWS\sdkln32.exe
O4 - HKLM\..\RunOnce: [mfcqp.exe] C:\WINDOWS\mfcqp.exe
O4 - HKLM\..\RunOnce: [winut.exe] C:\WINDOWS\system32\winut.exe
O4 - HKLM\..\RunOnce: [crzv32.exe] C:\WINDOWS\crzv32.exe
O4 - HKLM\..\RunOnce: [ntst.exe] C:\WINDOWS\system32\ntst.exe
O4 - HKLM\..\RunOnce: [iehr32.exe] C:\WINDOWS\system32\iehr32.exe
O4 - HKLM\..\RunOnce: [sdkml.exe] C:\WINDOWS\system32\sdkml.exe
O4 - HKLM\..\RunOnce: [mfcfb32.exe] C:\WINDOWS\mfcfb32.exe
O4 - HKLM\..\RunOnce: [sdkge32.exe] C:\WINDOWS\sdkge32.exe
O4 - HKLM\..\RunOnce: [crgk.exe] C:\WINDOWS\system32\crgk.exe
O4 - HKLM\..\RunOnce: [ntvz.exe] C:\WINDOWS\ntvz.exe
O4 - HKLM\..\RunOnce: [msov32.exe] C:\WINDOWS\msov32.exe
O4 - HKLM\..\RunOnce: [apiab32.exe] C:\WINDOWS\system32\apiab32.exe
O4 - HKLM\..\RunOnce: [javahs32.exe] C:\WINDOWS\system32\javahs32.exe
O4 - HKLM\..\RunOnce: [sdkhu.exe] C:\WINDOWS\system32\sdkhu.exe
O4 - HKLM\..\RunOnce: [mfcmw32.exe] C:\WINDOWS\system32\mfcmw32.exe
O4 - HKLM\..\RunOnce: [javahi32.exe] C:\WINDOWS\system32\javahi32.exe
O4 - HKLM\..\RunOnce: [sdktx.exe] C:\WINDOWS\system32\sdktx.exe
O4 - HKLM\..\RunOnce: [mswa32.exe] C:\WINDOWS\system32\mswa32.exe
O4 - HKLM\..\RunOnce: [syskl.exe] C:\WINDOWS\syskl.exe
O4 - HKLM\..\RunOnce: [iezd.exe] C:\WINDOWS\system32\iezd.exe
O4 - HKLM\..\RunOnce: [wintm.exe] C:\WINDOWS\wintm.exe
O4 - HKLM\..\RunOnce: [javakm.exe] C:\WINDOWS\javakm.exe
O4 - HKLM\..\RunOnce: [apixo32.exe] C:\WINDOWS\apixo32.exe
O4 - HKLM\..\RunOnce: [ieoq32.exe] C:\WINDOWS\ieoq32.exe
O4 - HKLM\..\RunOnce: [sdklc32.exe] C:\WINDOWS\system32\sdklc32.exe
O4 - HKLM\..\RunOnce: [msfz.exe] C:\WINDOWS\system32\msfz.exe
O4 - HKLM\..\RunOnce: [ipkt32.exe] C:\WINDOWS\ipkt32.exe
O4 - HKLM\..\RunOnce: [adddm32.exe] C:\WINDOWS\system32\adddm32.exe
O4 - HKLM\..\RunOnce: [ievt32.exe] C:\WINDOWS\system32\ievt32.exe
O4 - HKLM\..\RunOnce: [javami.exe] C:\WINDOWS\javami.exe
O4 - HKLM\..\RunOnce: [apirc32.exe] C:\WINDOWS\apirc32.exe
O4 - HKLM\..\RunOnce: [winkt.exe] C:\WINDOWS\system32\winkt.exe
O4 - HKLM\..\RunOnce: [crpv32.exe] C:\WINDOWS\system32\crpv32.exe
O4 - HKLM\..\RunOnce: [addsh32.exe] C:\WINDOWS\system32\addsh32.exe
O4 - HKLM\..\RunOnce: [d3yb32.exe] C:\WINDOWS\system32\d3yb32.exe
O4 - HKLM\..\RunOnce: [mfcxl.exe] C:\WINDOWS\mfcxl.exe
O4 - HKLM\..\RunOnce: [sdkih32.exe] C:\WINDOWS\system32\sdkih32.exe
O4 - HKLM\..\RunOnce: [sysxx.exe] C:\WINDOWS\sysxx.exe
O4 - HKLM\..\RunOnce: [winlt32.exe] C:\WINDOWS\winlt32.exe
O4 - HKLM\..\RunOnce: [javaqn32.exe] C:\WINDOWS\system32\javaqn32.exe
O4 - HKLM\..\RunOnce: [sysrq32.exe] C:\WINDOWS\system32\sysrq32.exe
O4 - HKLM\..\RunOnce: [javaek32.exe] C:\WINDOWS\javaek32.exe
O4 - HKLM\..\RunOnce: [crqv32.exe] C:\WINDOWS\crqv32.exe
O4 - HKLM\..\RunOnce: [netdy.exe] C:\WINDOWS\system32\netdy.exe
O4 - HKLM\..\RunOnce: [apiva32.exe] C:\WINDOWS\system32\apiva32.exe
O4 - HKLM\..\RunOnce: [mfcsv32.exe] C:\WINDOWS\system32\mfcsv32.exe
O4 - HKLM\..\RunOnce: [ipjc.exe] C:\WINDOWS\system32\ipjc.exe
O4 - HKLM\..\RunOnce: [appow32.exe] C:\WINDOWS\system32\appow32.exe
O4 - HKLM\..\RunOnce: [ienk32.exe] C:\WINDOWS\ienk32.exe
O4 - HKLM\..\RunOnce: [ieem32.exe] C:\WINDOWS\system32\ieem32.exe
O4 - HKLM\..\RunOnce: [ntxf32.exe] C:\WINDOWS\ntxf32.exe
O4 - HKLM\..\RunOnce: [addtc.exe] C:\WINDOWS\system32\addtc.exe
O4 - HKLM\..\RunOnce: [javaqa.exe] C:\WINDOWS\system32\javaqa.exe
O4 - HKLM\..\RunOnce: [apimi.exe] C:\WINDOWS\apimi.exe
O4 - HKLM\..\RunOnce: [atlnb.exe] C:\WINDOWS\atlnb.exe
O4 - HKLM\..\RunOnce: [iead32.exe] C:\WINDOWS\iead32.exe
O4 - HKLM\..\RunOnce: [sysuu32.exe] C:\WINDOWS\system32\sysuu32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c46.cab
O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://tank.wizards....sie/msichat.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121068852781
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://www.cramster....nt/FileOpen.CAB
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/xml - (no CLSID) - (no file)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\iebi32.exe" /s (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements

#2
Rawe
Posted 11 July 2005 - 06:44 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello Dreyc and welcome to Gtg!

I'm now working on your log.. As soon as a member of the staff checks my reply, I'll get back to you.
Thanks for your patience. ;)

- Rawe :tazz:
  • 0

#3
Rawe
Posted 11 July 2005 - 07:44 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hi again! ;)

Please print these instructions out, or write them down, as you can't read them during the fix. This will be a long fix, so please stick with it and be sure to follow every step.

Now, uninstall the programs I list next, if you have any/all of them, as you might have an old version.

Please download;

- Spybot S&D

- Ad-Aware SE Personal, Build 1.06

- Ewido Security Suite

Install it, and update the definitions to the newest files. Do NOT run a scan yet.

- Clean Up

Run the CleanUp installer and get the program ready to be used, but don't run it yet.

- About:Buster

Unzip the contents of AboutBuster.zip and an About:Buster directory will be created.
- Launch About:Buster
- Click "Ok" at the prompt with instructions.
- Click "Update" and then "Check For Update" to launch the update process.
- If any updates exist please download them by clicking "Download Update". After this, exit the updating window.
- Now please close About:Buster

- CWShredder v 2.15

When the CWShredder is installed, please launch it, check for any updates, and close it. Don't Run A Scan Yet!

=> An tutorial for SpyBot
=> An tutorial for Ad-aware

Run the programs, as instructed on those links. (For SpyBot, don't launch TeaTimer as it can get in the way of the fixes.)


Please run at least three of these free online scans here (Use the auto-clean option);
- Trend Micro
- BitDefender
- RAV
- Kaspersky
- Jotti Virusscan
- F-secure


Please, now run CWShredder v 2.15. Use the "Fix" - button.


Disconnect from the internet. {for broadband/cable users, it is recommended that you disconnect the cable connection}

Please boot up into Safe Mode.


While rebooting your computer, tap f8 continuosly. A menu should come up, choose to go to Safe Mode.


While at Safe Mode, please run About:Buster;

Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
Click "Yes" to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it.
When the scan has finished, and log saved, please reboot your computer to Safe Mode again.

Ok, now run About:Buster again without the reboot in the end.


Now do this;
Click Start => Run => and type in;

services.msc

Click "OK".

In the services window find service; Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I)

Right-click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then "Ok". Exit the Services utility.


Run HJT. Close any other open windows.

Just hit the button to "Scan". When finished, please check these objects for removal;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nsxlc.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nsxlc.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nsxlc.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nsxlc.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nsxlc.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nsxlc.dll/sp.html#93256
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {150875DE-94E1-E8C9-27DC-1267DD628704} - C:\WINDOWS\apixg.dll
O2 - BHO: Class - {FBED823A-D55D-5FC4-3371-07A8B14B3237} - C:\WINDOWS\sdkxp.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\RunOnce: [iebi32.exe] C:\WINDOWS\iebi32.exe
O4 - HKLM\..\RunOnce: [netty.exe] C:\WINDOWS\netty.exe
O4 - HKLM\..\RunOnce: [d3mm32.exe] C:\WINDOWS\system32\d3mm32.exe
O4 - HKLM\..\RunOnce: [adddo32.exe] C:\WINDOWS\adddo32.exe
O4 - HKLM\..\RunOnce: [d3we.exe] C:\WINDOWS\system32\d3we.exe
O4 - HKLM\..\RunOnce: [ipch32.exe] C:\WINDOWS\ipch32.exe
O4 - HKLM\..\RunOnce: [ieln.exe] C:\WINDOWS\system32\ieln.exe
O4 - HKLM\..\RunOnce: [sdkyh32.exe] C:\WINDOWS\sdkyh32.exe
O4 - HKLM\..\RunOnce: [ieif.exe] C:\WINDOWS\system32\ieif.exe
O4 - HKLM\..\RunOnce: [wintb.exe] C:\WINDOWS\system32\wintb.exe
O4 - HKLM\..\RunOnce: [appkp32.exe] C:\WINDOWS\system32\appkp32.exe
O4 - HKLM\..\RunOnce: [d3pj.exe] C:\WINDOWS\system32\d3pj.exe
O4 - HKLM\..\RunOnce: [atltt.exe] C:\WINDOWS\system32\atltt.exe
O4 - HKLM\..\RunOnce: [d3eg.exe] C:\WINDOWS\d3eg.exe
O4 - HKLM\..\RunOnce: [netji32.exe] C:\WINDOWS\system32\netji32.exe
O4 - HKLM\..\RunOnce: [ntuu.exe] C:\WINDOWS\system32\ntuu.exe
O4 - HKLM\..\RunOnce: [iegb32.exe] C:\WINDOWS\system32\iegb32.exe
O4 - HKLM\..\RunOnce: [ntxl.exe] C:\WINDOWS\system32\ntxl.exe
O4 - HKLM\..\RunOnce: [atlcf32.exe] C:\WINDOWS\system32\atlcf32.exe
O4 - HKLM\..\RunOnce: [syssp.exe] C:\WINDOWS\system32\syssp.exe
O4 - HKLM\..\RunOnce: [msdt32.exe] C:\WINDOWS\msdt32.exe
O4 - HKLM\..\RunOnce: [ntin.exe] C:\WINDOWS\ntin.exe
O4 - HKLM\..\RunOnce: [iesw.exe] C:\WINDOWS\system32\iesw.exe
O4 - HKLM\..\RunOnce: [iesw32.exe] C:\WINDOWS\system32\iesw32.exe
O4 - HKLM\..\RunOnce: [sdkln32.exe] C:\WINDOWS\sdkln32.exe
O4 - HKLM\..\RunOnce: [mfcqp.exe] C:\WINDOWS\mfcqp.exe
O4 - HKLM\..\RunOnce: [winut.exe] C:\WINDOWS\system32\winut.exe
O4 - HKLM\..\RunOnce: [crzv32.exe] C:\WINDOWS\crzv32.exe
O4 - HKLM\..\RunOnce: [ntst.exe] C:\WINDOWS\system32\ntst.exe
O4 - HKLM\..\RunOnce: [iehr32.exe] C:\WINDOWS\system32\iehr32.exe
O4 - HKLM\..\RunOnce: [sdkml.exe] C:\WINDOWS\system32\sdkml.exe
O4 - HKLM\..\RunOnce: [mfcfb32.exe] C:\WINDOWS\mfcfb32.exe
O4 - HKLM\..\RunOnce: [sdkge32.exe] C:\WINDOWS\sdkge32.exe
O4 - HKLM\..\RunOnce: [crgk.exe] C:\WINDOWS\system32\crgk.exe
O4 - HKLM\..\RunOnce: [ntvz.exe] C:\WINDOWS\ntvz.exe
O4 - HKLM\..\RunOnce: [msov32.exe] C:\WINDOWS\msov32.exe
O4 - HKLM\..\RunOnce: [apiab32.exe] C:\WINDOWS\system32\apiab32.exe
O4 - HKLM\..\RunOnce: [javahs32.exe] C:\WINDOWS\system32\javahs32.exe
O4 - HKLM\..\RunOnce: [sdkhu.exe] C:\WINDOWS\system32\sdkhu.exe
O4 - HKLM\..\RunOnce: [mfcmw32.exe] C:\WINDOWS\system32\mfcmw32.exe
O4 - HKLM\..\RunOnce: [javahi32.exe] C:\WINDOWS\system32\javahi32.exe
O4 - HKLM\..\RunOnce: [sdktx.exe] C:\WINDOWS\system32\sdktx.exe
O4 - HKLM\..\RunOnce: [mswa32.exe] C:\WINDOWS\system32\mswa32.exe
O4 - HKLM\..\RunOnce: [syskl.exe] C:\WINDOWS\syskl.exe
O4 - HKLM\..\RunOnce: [iezd.exe] C:\WINDOWS\system32\iezd.exe
O4 - HKLM\..\RunOnce: [wintm.exe] C:\WINDOWS\wintm.exe
O4 - HKLM\..\RunOnce: [javakm.exe] C:\WINDOWS\javakm.exe
O4 - HKLM\..\RunOnce: [apixo32.exe] C:\WINDOWS\apixo32.exe
O4 - HKLM\..\RunOnce: [ieoq32.exe] C:\WINDOWS\ieoq32.exe
O4 - HKLM\..\RunOnce: [sdklc32.exe] C:\WINDOWS\system32\sdklc32.exe
O4 - HKLM\..\RunOnce: [msfz.exe] C:\WINDOWS\system32\msfz.exe
O4 - HKLM\..\RunOnce: [ipkt32.exe] C:\WINDOWS\ipkt32.exe
O4 - HKLM\..\RunOnce: [adddm32.exe] C:\WINDOWS\system32\adddm32.exe
O4 - HKLM\..\RunOnce: [ievt32.exe] C:\WINDOWS\system32\ievt32.exe
O4 - HKLM\..\RunOnce: [javami.exe] C:\WINDOWS\javami.exe
O4 - HKLM\..\RunOnce: [apirc32.exe] C:\WINDOWS\apirc32.exe
O4 - HKLM\..\RunOnce: [winkt.exe] C:\WINDOWS\system32\winkt.exe
O4 - HKLM\..\RunOnce: [crpv32.exe] C:\WINDOWS\system32\crpv32.exe
O4 - HKLM\..\RunOnce: [addsh32.exe] C:\WINDOWS\system32\addsh32.exe
O4 - HKLM\..\RunOnce: [d3yb32.exe] C:\WINDOWS\system32\d3yb32.exe
O4 - HKLM\..\RunOnce: [mfcxl.exe] C:\WINDOWS\mfcxl.exe
O4 - HKLM\..\RunOnce: [sdkih32.exe] C:\WINDOWS\system32\sdkih32.exe
O4 - HKLM\..\RunOnce: [sysxx.exe] C:\WINDOWS\sysxx.exe
O4 - HKLM\..\RunOnce: [winlt32.exe] C:\WINDOWS\winlt32.exe
O4 - HKLM\..\RunOnce: [javaqn32.exe] C:\WINDOWS\system32\javaqn32.exe
O4 - HKLM\..\RunOnce: [sysrq32.exe] C:\WINDOWS\system32\sysrq32.exe
O4 - HKLM\..\RunOnce: [javaek32.exe] C:\WINDOWS\javaek32.exe
O4 - HKLM\..\RunOnce: [crqv32.exe] C:\WINDOWS\crqv32.exe
O4 - HKLM\..\RunOnce: [netdy.exe] C:\WINDOWS\system32\netdy.exe
O4 - HKLM\..\RunOnce: [apiva32.exe] C:\WINDOWS\system32\apiva32.exe
O4 - HKLM\..\RunOnce: [mfcsv32.exe] C:\WINDOWS\system32\mfcsv32.exe
O4 - HKLM\..\RunOnce: [ipjc.exe] C:\WINDOWS\system32\ipjc.exe
O4 - HKLM\..\RunOnce: [appow32.exe] C:\WINDOWS\system32\appow32.exe
O4 - HKLM\..\RunOnce: [ienk32.exe] C:\WINDOWS\ienk32.exe
O4 - HKLM\..\RunOnce: [ieem32.exe] C:\WINDOWS\system32\ieem32.exe
O4 - HKLM\..\RunOnce: [ntxf32.exe] C:\WINDOWS\ntxf32.exe
O4 - HKLM\..\RunOnce: [addtc.exe] C:\WINDOWS\system32\addtc.exe
O4 - HKLM\..\RunOnce: [javaqa.exe] C:\WINDOWS\system32\javaqa.exe
O4 - HKLM\..\RunOnce: [apimi.exe] C:\WINDOWS\apimi.exe
O4 - HKLM\..\RunOnce: [atlnb.exe] C:\WINDOWS\atlnb.exe
O4 - HKLM\..\RunOnce: [iead32.exe] C:\WINDOWS\iead32.exe
O4 - HKLM\..\RunOnce: [sysuu32.exe] C:\WINDOWS\system32\sysuu32.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c46.cab
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/xml - (no CLSID) - (no file)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\iebi32.exe" /s (file missing)


Make sure that the above mentioned objects are all checked, then hit "Fix Checked".


Using Windows Explorer, locate the following files and delete if present;

C:\WINDOWS\apixg.dll
C:\WINDOWS\sdkxp.dll
C:\WINDOWS\iebi32.exe
C:\WINDOWS\netty.exe
C:\WINDOWS\system32\d3mm32.exe
C:\WINDOWS\adddo32.exe
C:\WINDOWS\system32\d3we.exe
C:\WINDOWS\ipch32.exe
C:\WINDOWS\system32\ieln.exe
C:\WINDOWS\sdkyh32.exe
C:\WINDOWS\system32\ieif.exe
C:\WINDOWS\system32\wintb.exe
C:\WINDOWS\system32\appkp32.exe
C:\WINDOWS\system32\d3pj.exe
C:\WINDOWS\system32\atltt.exe
C:\WINDOWS\d3eg.exe
C:\WINDOWS\system32\netji32.exe
C:\WINDOWS\system32\ntuu.exe
C:\WINDOWS\system32\iegb32.exe
C:\WINDOWS\system32\ntxl.exe
C:\WINDOWS\system32\atlcf32.exe
C:\WINDOWS\system32\syssp.exe
C:\WINDOWS\msdt32.exe
C:\WINDOWS\ntin.exe
C:\WINDOWS\system32\iesw.exe
C:\WINDOWS\system32\iesw32.exe
C:\WINDOWS\sdkln32.exe
C:\WINDOWS\mfcqp.exe
C:\WINDOWS\system32\winut.exe
C:\WINDOWS\crzv32.exe
C:\WINDOWS\system32\ntst.exe
C:\WINDOWS\system32\iehr32.exe
C:\WINDOWS\system32\sdkml.exe
C:\WINDOWS\mfcfb32.exe
C:\WINDOWS\sdkge32.exe
C:\WINDOWS\system32\crgk.exe
C:\WINDOWS\ntvz.exe
C:\WINDOWS\msov32.exe
C:\WINDOWS\system32\apiab32.exe
C:\WINDOWS\system32\javahs32.exe
C:\WINDOWS\system32\sdkhu.exe
C:\WINDOWS\system32\mfcmw32.exe
C:\WINDOWS\system32\javahi32.exe
C:\WINDOWS\system32\sdktx.exe
C:\WINDOWS\system32\mswa32.exe
C:\WINDOWS\syskl.exe
C:\WINDOWS\system32\iezd.exe
C:\WINDOWS\wintm.exe
C:\WINDOWS\javakm.exe
C:\WINDOWS\apixo32.exe
C:\WINDOWS\ieoq32.exe
C:\WINDOWS\system32\sdklc32.exe
C:\WINDOWS\system32\msfz.exe
C:\WINDOWS\ipkt32.exe
C:\WINDOWS\system32\adddm32.exe
C:\WINDOWS\system32\ievt32.exe
C:\WINDOWS\javami.exe
C:\WINDOWS\apirc32.exe
C:\WINDOWS\system32\winkt.exe
C:\WINDOWS\system32\crpv32.exe
C:\WINDOWS\system32\addsh32.exe
C:\WINDOWS\system32\d3yb32.exe
C:\WINDOWS\mfcxl.exe
C:\WINDOWS\system32\sdkih32.exe
C:\WINDOWS\sysxx.exe
C:\WINDOWS\winlt32.exe
C:\WINDOWS\system32\javaqn32.exe
C:\WINDOWS\system32\sysrq32.exe
C:\WINDOWS\javaek32.exe
C:\WINDOWS\crqv32.exe
C:\WINDOWS\system32\netdy.exe
C:\WINDOWS\system32\apiva32.exe
C:\WINDOWS\system32\mfcsv32.exe
C:\WINDOWS\system32\ipjc.exe
C:\WINDOWS\system32\appow32.exe
C:\WINDOWS\ienk32.exe
C:\WINDOWS\system32\ieem32.exe
C:\WINDOWS\ntxf32.exe
C:\WINDOWS\system32\addtc.exe
C:\WINDOWS\system32\javaqa.exe
C:\WINDOWS\apimi.exe
C:\WINDOWS\atlnb.exe
C:\WINDOWS\iead32.exe
C:\WINDOWS\system32\sysuu32.exe


Please, now run CWShredder v 2.15 again. Use the "Fix" - button.


Run a Full Scan in Ewido Security Suite. Save the log from the scan and let it remove anything it can.


Run CleanUp! Be sure to reboot your PC when prompted.
Boot your Windows to normal mode. Run a new scan with HJT. Connect back to the internet when the scan has finished, so that you can post the fresh HJT log along with the log from About:Buster & Ewido.

We'll continue then.

- Rawe :tazz:
  • 0

#4
Dreyc
Posted 14 July 2005 - 10:16 AM

Dreyc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:32:43 AM, on 7/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\cmd.exe
C:\Athena\login-server.exe
C:\WINDOWS\System32\cmd.exe
C:\Athena\char-server.exe
C:\WINDOWS\System32\cmd.exe
C:\Athena\map-server.exe
C:\Program Files\PlayOnline\SquareEnix\PlayOnlineViewer\pol.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dreyc Hawking\Desktop\Online Services\SpywareMalware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {76539632-A99F-E4EF-7031-09712D64FC7E} - C:\WINDOWS\system32\javayx32.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [mspp32.exe] C:\WINDOWS\system32\mspp32.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\RunOnce: [appve.exe] C:\WINDOWS\appve.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://tank.wizards....sie/msichat.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121068852781
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://www.cramster....nt/FileOpen.CAB
O18 - Filter hijack: text/xml - (no CLSID) - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Attached Files


Edited by Dreyc, 14 July 2005 - 10:33 AM.

  • 0

#5
Rawe
Posted 14 July 2005 - 10:20 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hi again Dreyc!

Sorry, but you're log looks quite messy. Could you possibly run a new scan with HJT, and make sure that WordWrap isn't on at your notepad, then copy & paste a whole new log correctly? It's quite hard to read from that. Thanks ;)

We'll continue then

- Rawe :tazz:
  • 0

#6
Dreyc
Posted 14 July 2005 - 10:34 AM

Dreyc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
And fixed.
  • 0

#7
Rawe
Posted 14 July 2005 - 10:45 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Thanks!

I'll get back to you shortly

- Rawe :tazz:
  • 0

#8
Rawe
Posted 14 July 2005 - 10:47 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok, let's see if we can get something done with this ;)

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

- Rawe :tazz:
  • 0

#9
Dreyc
Posted 14 July 2005 - 10:01 PM

Dreyc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Started Scanning
Internet Cookies
Found 'atwola.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'Software\BearShare'
Found '' in 'SOFTWARE\Classes\ed2k'
Found '' in 'SOFTWARE\Classes\ed2k\DefaultIcon'
Found '' in 'SOFTWARE\Classes\ed2k\shell\open\command'
Found '' in 'AppEvents\EventLabels\BearShareChatNotifyMsg'
Found '' in 'AppEvents\Schemes\Apps\BearShare'
Found '' in 'AppEvents\Schemes\Apps\BearShare\BearShareChatNotifyMsg'
Found '' in 'AppEvents\Schemes\Apps\BearShare\BearShareChatNotifyMsg\.Current'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BearShare'
Found '' in 'SOFTWARE\Magnet'
Found '' in 'SOFTWARE\Classes\magnet'
Found '' in 'SOFTWARE\Classes\magnet\shell\open\command'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found 'Location' in 'SOFTWARE\Magnet'
Found 'URL Protocol' in 'SOFTWARE\Classes\magnet'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found 'PluginLevel' in 'SYSTEM\CurrentControlSet\Control\Session Manager'
Internet URL Shortcuts
Files and Directories
Found 'BearShare.exe' in 'C:\Program Files\BearShare'
Found '' in 'C:\Program Files\BearShare\db'
Found '' in 'C:\Program Files\BearShare\Extras'
Found '' in 'C:\Program Files\BearShare\Installer'
Found '' in 'C:\Program Files\BearShare\Logs'
Found '' in 'C:\Program Files\BearShare\Playlists'
Found '' in 'C:\Program Files\BearShare\sounds'
Found '' in 'C:\Program Files\BearShare\Webstats'
Found 'Webstats.exe' in 'C:\Program Files\BearShare'
Finished Scanning
Started Backup
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000 for restore. [SCANMODS] Error=5.
Finished Backup
Started Cleaning
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC'. Error=5.
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000'. Error=5.
Checking for 'C:\Program Files\BearShare\BearShare.exe' in shortcut areas.
Found 'BearShare.lnk' in 'C:\Documents and Settings\All Users\Start Menu\Programs\'
Checking for 'C:\Program Files\BearShare\BearShare.exe' in startup areas.
Cleaning 'C:\Program Files\BearShare\BearShare.exe'
Checking for 'C:\Program Files\BearShare\db' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db' in startup areas.
Cleaning 'C:\Program Files\BearShare\db'
Checking for 'C:\Program Files\BearShare\db\config.bin' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\config.bin' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\config.bin'
Checking for 'C:\Program Files\BearShare\db\connect.txt' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\connect.txt' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\connect.txt'
Checking for 'C:\Program Files\BearShare\db\gnucache.dat' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\gnucache.dat' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\gnucache.dat'
Checking for 'C:\Program Files\BearShare\db\gwebcache.dat' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\gwebcache.dat' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\gwebcache.dat'
Checking for 'C:\Program Files\BearShare\db\hbcache.dat' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\hbcache.dat' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\hbcache.dat'
Checking for 'C:\Program Files\BearShare\db\Hostiles.txt' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\Hostiles.txt' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\Hostiles.txt'
Checking for 'C:\Program Files\BearShare\db\library.dat' in shortcut areas.
Checking for 'C:\Program Files\BearShare\db\library.dat' in startup areas.
Cleaning 'C:\Program Files\BearShare\db\library.dat'
Checking for 'C:\Program Files\BearShare\Extras' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Extras' in startup areas.
Cleaning 'C:\Program Files\BearShare\Extras'
Checking for 'C:\Program Files\BearShare\Installer' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Installer' in startup areas.
Cleaning 'C:\Program Files\BearShare\Installer'
Checking for 'C:\Program Files\BearShare\Logs' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Logs' in startup areas.
Cleaning 'C:\Program Files\BearShare\Logs'
Checking for 'C:\Program Files\BearShare\Logs\memory.txt' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Logs\memory.txt' in startup areas.
Cleaning 'C:\Program Files\BearShare\Logs\memory.txt'
Checking for 'C:\Program Files\BearShare\Logs\ordinal.txt' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Logs\ordinal.txt' in startup areas.
Cleaning 'C:\Program Files\BearShare\Logs\ordinal.txt'
Checking for 'C:\Program Files\BearShare\Playlists' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Playlists' in startup areas.
Cleaning 'C:\Program Files\BearShare\Playlists'
Checking for 'C:\Program Files\BearShare\sounds' in shortcut areas.
Checking for 'C:\Program Files\BearShare\sounds' in startup areas.
Cleaning 'C:\Program Files\BearShare\sounds'
Checking for 'C:\Program Files\BearShare\sounds\notify.wav' in shortcut areas.
Checking for 'C:\Program Files\BearShare\sounds\notify.wav' in startup areas.
Cleaning 'C:\Program Files\BearShare\sounds\notify.wav'
Checking for 'C:\Program Files\BearShare\Webstats' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Webstats' in startup areas.
Cleaning 'C:\Program Files\BearShare\Webstats'
Checking for 'C:\Program Files\BearShare\Webstats.exe' in shortcut areas.
Checking for 'C:\Program Files\BearShare\Webstats.exe' in startup areas.
Cleaning 'C:\Program Files\BearShare\Webstats.exe'
Finished Cleaning
  • 0

#10
Rawe
Posted 15 July 2005 - 01:19 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello again Dreyc! Thanks for completing that step. It seems that you have BearShare?
If that is the case, please uninstall the whole program. It comes bundled with malware..
Once we get you're computer clean, I'll give you a link where you can see list of clean P2P programs and infected P2P programs. For now, please uninstall BearShare from Add/Remove Programs, then using Windows Explorer, locate the following folder and delete if present;

C:\Program Files\BearShare

Empty your recycle bin.

Reboot, run a new scan with HJT and post the fresh log here.

- Rawe :tazz:
  • 0

Advertisements

#11
Dreyc
Posted 17 July 2005 - 06:25 AM

Dreyc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Logfile of HijackThis v1.99.1
Scan saved at 5:24:13 AM, on 7/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\MXOALDR.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cmd.exe
C:\Athena\login-server.exe
C:\WINDOWS\system32\cmd.exe
C:\Athena\char-server.exe
C:\WINDOWS\system32\cmd.exe
C:\Athena\map-server.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Gravity\RO\ShonenRO.exe
C:\Documents and Settings\Dreyc Hawking\Desktop\Online Services\SpywareMalware\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {76539632-A99F-E4EF-7031-09712D64FC7E} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://tank.wizards....sie/msichat.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121068852781
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://www.cramster....nt/FileOpen.CAB
O18 - Filter hijack: text/xml - (no CLSID) - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#12
Rawe
Posted 17 July 2005 - 06:29 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hi again! Thanks for the log. ;)
We're gonna try this tool;

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directoy as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
    Disable SpySweeper Shields
    • Click Shields on the left.
    • Click Internet Explorer and uncheck all items.
    • Click Windows System and uncheck all items.
    • Click Startup Programs and uncheck all items.
  • Once the definitions are installed and shields disabled, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
After this, run CleanUp! Making sure to reboot your PC when prompted. Once your Windows has loaded, run a new scan with HiJackThis, and post the fresh log here along with the log from SpySweeper.

- Rawe :tazz:
  • 0

#13
Dreyc
Posted 18 July 2005 - 11:03 AM

Dreyc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:00:44 AM, on 7/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dreyc Hawking\Desktop\Online Services\SpywareMalware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {76539632-A99F-E4EF-7031-09712D64FC7E} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://tank.wizards....sie/msichat.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121068852781
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,20/mcgdmgr.cab
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://www.cramster....nt/FileOpen.CAB
O18 - Filter hijack: text/xml - (no CLSID) - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Attached Files


  • 0

#14
Rawe
Posted 18 July 2005 - 11:33 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hi again Dreyc! Things look better now.

Run HiJackThis (Close ANY other open windows and/or open browsers, making sure that only HJT is running at the time!)
run a scan and check these objects for removal;

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {76539632-A99F-E4EF-7031-09712D64FC7E} - (no file)

Make sure that the above mentioned objects are all checked, then hit "Fix Checked".

REBOOT!!

Post back & tell me what problems are you having on your PC now.

- Rawe :tazz:
  • 0

#15
Rawe
Posted 24 July 2005 - 10:13 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Do you still require help with your problem or have you gotten it resolved?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP