[Petterflet]

Hello there!

I've been having problems with this stubborn SpySheriff as many others do - it just keeps coming back after a few days which was removed by Spyware Doctor. Moreover, the Task Manager seemed to be gone - when I press Ctrl+Alt+Del it said that "Task Manager has been disabled by adminstrator". As well as the Quick Launch is grayed out!

Please kindly help me on this. I do not know how I have got all this mess since this are many people in the office using this computer. Thanks in advance for your advise.

Takki vd. Petterflet

Below is my logfile:

Logfile of HijackThis v1.99.1
Scan saved at 9:27:19, on 18/7/2548
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Windows Media Player\Skins\WindowsMediaSkin\Data\Level4\smss.exe
C:\Windows\System\Level4\csrss.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\EC.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\l?[bleep].exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\trhe\bsec.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\Philipus\My Documents\My Received Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R3 - URLSearchHook: (no name) - _{2451A86F-EF0E-F6E4-31BD-DCA460AB7322} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {C4ACBCED-237F-07F8-5EB4-72C27EED7E93} - C:\WINDOWS\System32\smkjovgd.dll
O2 - BHO: IEGuarder PopupKiller - {D2A944E9-1043-44AA-8682-82BBA7DD4300} - C:\Program Files\My Ad Blocker\ADBlocker.dll
O2 - BHO: (no name) - {F5818CEA-0E4E-41CA-73F6-47EF4EDF53A4} - C:\WINDOWS\System32\smkjovgd.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [smssLevel4] C:\Program Files\Windows Media Player\Skins\WindowsMediaSkin\Data\Level4\smss.exe
O4 - HKLM\..\Run: [csrssLevel4] C:\Windows\System\Level4\csrss.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [RF] C:\WINDOWS\EC.exe
O4 - HKLM\..\Run: [EXE32EXE] ActionScr.exe
O4 - HKLM\..\Run: [borlandg] NsCplTray.exe
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [BDOESRV] C:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender8\bdnagent.exe
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Vdwbsei] C:\WINDOWS\System32\l?[bleep].exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - HKCU\..\Run: [WinInitDll] msag.exe
O4 - HKCU\..\Run: [MONITER] prcmon.exe
O4 - HKCU\..\Run: [Itca] C:\Program Files\trhe\bsec.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: ดาวน์โหลดทั้งหมดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: ดาวน์โหลดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23....es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {C3531026-459D-48A9-A8C0-37E9BF56AE44} (ClientX Control) - http://www.thaigo.in...tProj1_thai.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredim...er/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C105CFA5-50A3-4012-81B1-C0AEB2235947}: NameServer = 69.50.176.196,195.225.176.110
O21 - SSODL: CANONBJ_Deinstall_CNMCP58.DLL - {CDBFA441-0DAB-CEB4-6A49-C02F949A729D} - c:\bjprinter\cnmwindows\canon i560 installer\inst2\winlkebu32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Edited by therock247uk, 08 August 2005 - 12:15 PM.

[Advertisements]

Hello and welcome to Geeks To Go. My name is Tom. You have several traces of infections on your system. Lets start out with some general scans and see if we cant clean things up a little.

+++++ Step 1 +++++

Please download Ewido security suite it is a trial version of the program.

• Install Ewido security suite
• Launch Ewido, there should be an icon on your desktop double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:

• Click on scanner
• Make sure the following boxes are checked before scanning:
  • Binder
  • Crypter
  • Archives
• Click on Start Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop

+++++ Step 2 +++++

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

+++++ Step 3 +++++

Update HiJackThis

• Open HiJackThis
• Click Open the Misc Tools Section
• Click Check for update online

+++++ Step 4 +++++

After that, I will need to see two different logs from HiJackThis. The first is the normal log like you posted here. To get the other one, follow these directions.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Post back with those logs and we can continue from there.

If you have recieved help elsewhere or no longer need our assistance, please let us know.

[TomNJ]

Hello and welcome to Geeks To Go. My name is Tom. You have several traces of infections on your system. Lets start out with some general scans and see if we cant clean things up a little.

+++++ Step 1 +++++

Please download Ewido security suite it is a trial version of the program.

• Install Ewido security suite
• Launch Ewido, there should be an icon on your desktop double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:

• Click on scanner
• Make sure the following boxes are checked before scanning:
  • Binder
  • Crypter
  • Archives
• Click on Start Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop

+++++ Step 2 +++++

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

+++++ Step 3 +++++

Update HiJackThis

• Open HiJackThis
• Click Open the Misc Tools Section
• Click Check for update online

+++++ Step 4 +++++

After that, I will need to see two different logs from HiJackThis. The first is the normal log like you posted here. To get the other one, follow these directions.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Post back with those logs and we can continue from there.

If you have recieved help elsewhere or no longer need our assistance, please let us know.

[Petterflet]

Thank you Tom, I will be away from my PC for a while and will come back to you next Monday. Thought it will be better that I tell you before I leave.

Petterflet

[Petterflet]

Hello!

Here it is the report from Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 16:18:59, 19/7/2548
+ Report-Checksum: 38A317C1

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} -> Spyware.Azsearch : Cleaned with backup
C:\WINDOWS\system32\hlv.dll -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\system32\1883140.exe -> TrojanDropper.Small.aad : Cleaned with backup
C:\WINDOWS\system32\1889515.exe -> Backdoor.Dumador.cz : Cleaned with backup
C:\WINDOWS\system32\winldra.exe -> Backdoor.Dumador.cz : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq1.exe -> TrojanDownloader.Agent.qx : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq8.exe -> TrojanDownloader.Agent.qx : Cleaned with backup
C:\WINDOWS\system32\drv2cltr.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\WINDOWS\SSK3_B5.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\Documents and Settings\Philipus\Desktop\BootXP\File maker pro\FileMaker_Pro_v7[1].0v1a_French.zip/Regpatch.exe -> Trojan.Small.cr : Cleaned with backup
C:\Documents and Settings\Philipus\Desktop\BootXP\File maker pro\filemakerprov7.0v1apatchfff.zip/Regpatch.exe -> Trojan.Small.cr : Cleaned with backup
C:\Documents and Settings\Philipus\Desktop\BootXP\File maker pro\FileMaker_Pro_v7[1].0v1a_French\Regpatch.exe -> Trojan.Small.cr : Cleaned with backup
C:\Documents and Settings\Philipus\Desktop\BootXP\File maker pro\filemakerprov7.0v1apatchfff\Regpatch.exe -> Trojan.Small.cr : Cleaned with backup
C:\Documents and Settings\Socos\Local Settings\Temp\TNCG77AB.dll -> Adware.SAHA : Cleaned with backup
C:\Documents and Settings\Socos\Local Settings\Temp\180sainstaller.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Socos\Local Settings\Temp\setup4021.cab/liqp7c25q_.dll -> Adware.SAHA : Cleaned with backup
C:\Documents and Settings\Socos\Local Settings\Temp\liqp7c25q_.dll -> Adware.SAHA : Cleaned with backup
C:\Documents and Settings\Socos\Cookies\[email protected][2].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP80\A0018813.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP80\A0019810.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP80\A0020810.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP81\A0020861.DLL -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP81\A0020920.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP81\A0021918.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP81\A0021936.exe -> Spyware.WeirWeb : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP82\A0021967.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP82\A0021983.dll -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP82\A0021984.exe -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP82\A0021997.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP82\A0024002.exe -> Spyware.WeirWeb : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP83\A0026048.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP83\A0026075.dll -> Spyware.PurityScan : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP83\A0026087.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP83\A0036184.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP86\A0050941.exe -> Spyware.WeirWeb : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP88\A0053014.exe -> TrojanDownloader.Agent.qx : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP88\A0053015.exe -> TrojanDownloader.Agent.qx : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP88\A0055022.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP88\A0055024.exe -> Spyware.WeirWeb : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP91\A0058391.exe -> Spyware.WeirWeb : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP93\A0067633.dll -> TrojanProxy.Agent.fg : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP97\A0069317.exe -> TrojanSpy.Lineage.hy : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP97\A0069319.exe -> Spyware.PurityScan : Cleaned with backup
C:\System Volume Information\_restore{E5EFE15F-774E-49DA-9A22-C48EB9D95B84}\RP98\A0069402.dll -> TrojanDownloader.Murlo.ar : Cleaned with backup
C:\Downloads\software\craggle\200541077602282.rar/Craagle.exe -> Spyware.Craagle : Cleaned with backup
C:\Downloads\IncrediMail\New Folder\IncrediMail_XE_build_930.zip/tub.exe -> TrojanDownloader.INService.i : Cleaned with backup
C:\Downloads\IncrediMail\New Folder\IncrediMail_XE_build_931.zip/efc.exe -> TrojanDownloader.INService.i : Cleaned with backup
E:\Program\pat\backup\1.SW\MsgPlus-301.exe/sponsor.exe -> TrojanDownloader.Swizzor.ag : Cleaned with backup
E:\Program\pat\backup\1.SW\New Folder\logocreator\200541077602282.rar/Craagle.exe -> Spyware.Craagle : Cleaned with backup
E:\Program\pat\CS\cs2\Key\200541077602282.rar/Craagle.exe -> Spyware.Craagle : Cleaned with backup


::Report End


Kaspersky detected a lot of adwares and trojans while I regretfully could not get the report file. The second scan didn't work out as it asked for installation.

I couldn't update HijackThis online.
Here is the first log file:

Logfile of HijackThis v1.99.1
Scan saved at 17:13:12, on 25/7/2548
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Windows Media Player\Skins\WindowsMediaSkin\Data\Level4\smss.exe
C:\Windows\System\Level4\csrss.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Philipus\My Documents\My Received Files\Takki Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R3 - URLSearchHook: (no name) - _{2451A86F-EF0E-F6E4-31BD-DCA460AB7322} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {C4ACBCED-237F-07F8-5EB4-72C27EED7E93} - C:\WINDOWS\System32\smkjovgd.dll (file missing)
O2 - BHO: IEGuarder PopupKiller - {D2A944E9-1043-44AA-8682-82BBA7DD4300} - C:\Program Files\My Ad Blocker\ADBlocker.dll
O2 - BHO: (no name) - {F5818CEA-0E4E-41CA-73F6-47EF4EDF53A4} - C:\WINDOWS\System32\smkjovgd.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [smssLevel4] C:\Program Files\Windows Media Player\Skins\WindowsMediaSkin\Data\Level4\smss.exe
O4 - HKLM\..\Run: [csrssLevel4] C:\Windows\System\Level4\csrss.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [EXE32EXE] ActionScr.exe
O4 - HKLM\..\Run: [borlandg] NsCplTray.exe
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [BDOESRV] C:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender8\bdnagent.exe
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Vdwbsei] C:\WINDOWS\System32\l?[bleep].exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - HKCU\..\Run: [WinInitDll] msag.exe
O4 - HKCU\..\Run: [MONITER] prcmon.exe
O4 - HKCU\..\Run: [Itca] C:\Program Files\trhe\bsec.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: ดาวน์โหลดทั้งหมดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: ดาวน์โหลดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23....es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {C3531026-459D-48A9-A8C0-37E9BF56AE44} (ClientX Control) - http://www.thaigo.in...tProj1_thai.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredim...er/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C105CFA5-50A3-4012-81B1-C0AEB2235947}: NameServer = 69.50.176.196,195.225.176.110
O21 - SSODL: CANONBJ_Deinstall_CNMCP58.DLL - {CDBFA441-0DAB-CEB4-6A49-C02F949A729D} - c:\bjprinter\cnmwindows\canon i560 installer\inst2\winlkebu32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

The second one:

123di Version 3.0 Demo
Adobe Acrobat 7.0 Professional
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Download Manager 2.0 (ลบออกได้เท่านั้น)
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Photoshop Elements 3.0
AdWare SpyWare SE
Ahead InCD EasyWrite Reader
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Bangkok Bus Routes (Beta)
BitComet 0.56
BitDefender 8 Professional Plus
Canon i560
ewido security suite
FileMaker Pro 7
FlashCapture v1.5
HijackThis 1.99.1
HLIS - 32 for HVM Family
IncrediMail Xe
IsoBuster 1.8
ISOpen V4.0
Kaspersky Anti-Virus Web Scanner
Magic ASCII Studio Version 2.2 Demo
Microsoft Office Professional Edition 2003
My Ad Blocker
Nero 6 Enterprise Edition
NOD32 antivirus system
OIN
Photodex Presenter
ProShow Gold
Realtek RTL8139/810x Fast Ethernet NIC Driver Setup
Right Click Image Converter
SoundMAX
Spyware Doctor 3.2
Teleport Pro
WebCopier Pro
XPSecurity 2005c Build 1219
โปรแกรมจัดทำเอกสาร WinRAR

Thanks a million!
Takki

[TomNJ]

OK lets try this

[*]Press Control-Alt-Del to enter the Task Manager.

Click on the Processes tab and end the following processes:

C:\Program Files\Windows Media Player\Skins\WindowsMediaSkin\Data\Level4\smss.exe
Exit the Task Manager when finished.

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: (no name) - {C4ACBCED-237F-07F8-5EB4-72C27EED7E93} - C:\WINDOWS\System32\smkjovgd.dll (file missing)
O2 - BHO: (no name) - {F5818CEA-0E4E-41CA-73F6-47EF4EDF53A4} - C:\WINDOWS\System32\smkjovgd.dll (file missing)
O4 - HKLM\..\Run: [smssLevel4] C:\Program Files\Windows Media Player\Skins\WindowsMediaSkin\Data\Level4\smss.exe
O4 - HKLM\..\Run: [EXE32EXE] ActionScr.exe
O4 - HKLM\..\Run: [borlandg] NsCplTray.exe
O4 - HKCU\..\Run: [WinInitDll] msag.exe
O4 - HKCU\..\Run: [MONITER] prcmon.exe

Click on Fix Checked when finished and exit HijackThis.

[*]Reboot into Safe Mode: please see here if you are not sure how to do this.


Using Windows Explorer, locate the following files/folders, and delete them:

C:\Program Files\Windows Media Player\Skins\WindowsMediaSkin\Data\Level4\smss.exe
C:\WINDOWS\System32\kernels32.exe
ActionScr.exe
NsCplTray.exe
msag.exe
prcmon.exe

Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and we will take another look.

[Petterflet]

First of all, I have to say that my Task Manager isn't working as I said so in my first post therefore I couldn't end the process. However, I did the rest as you told me to:

In safe mode, the kernels32.exe, ActionScr.exe, NsCplTray.exe, msag.exe and prcmon.exe aren't exist.

Here is the log file after rebooting:

Logfile of HijackThis v1.99.1
Scan saved at 8:15:06, on 26/7/2548
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Windows\System\Level4\csrss.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Windows Media Player\Skins\WindowsMediaSkin\Data\Level4\smss.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Philipus\My Documents\My Received Files\Takki Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R3 - URLSearchHook: (no name) - _{2451A86F-EF0E-F6E4-31BD-DCA460AB7322} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: IEGuarder PopupKiller - {D2A944E9-1043-44AA-8682-82BBA7DD4300} - C:\Program Files\My Ad Blocker\ADBlocker.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [csrssLevel4] C:\Windows\System\Level4\csrss.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [BDOESRV] C:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender8\bdnagent.exe
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [smssLevel4] C:\Program Files\Windows Media Player\Skins\WindowsMediaSkin\Data\Level4\smss.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Vdwbsei] C:\WINDOWS\System32\l?[bleep].exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - HKCU\..\Run: [Itca] C:\Program Files\trhe\bsec.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: ดาวน์โหลดทั้งหมดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: ดาวน์โหลดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23....es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {C3531026-459D-48A9-A8C0-37E9BF56AE44} (ClientX Control) - http://www.thaigo.in...tProj1_thai.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredim...er/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C105CFA5-50A3-4012-81B1-C0AEB2235947}: NameServer = 69.50.176.196,195.225.176.110
O21 - SSODL: CANONBJ_Deinstall_CNMCP58.DLL - {CDBFA441-0DAB-CEB4-6A49-C02F949A729D} - c:\bjprinter\cnmwindows\canon i560 installer\inst2\winlkebu32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

It seems to me that O4 - HKLM\..\Run: [smssLevel4] C:\Program Files\Windows Media Player\Skins\WindowsMediaSkin\Data\Level4\smss.exe still there.

[Petterflet]

Regardting the smss.exe, I tried disable it in msconfig>Startup. Then I deleted the file again in safe mode. After rebooting please see my log file below:

Logfile of HijackThis v1.99.1
Scan saved at 8:36:42, on 26/7/2548
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Documents and Settings\Philipus\My Documents\My Received Files\Takki Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R3 - URLSearchHook: (no name) - _{2451A86F-EF0E-F6E4-31BD-DCA460AB7322} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: IEGuarder PopupKiller - {D2A944E9-1043-44AA-8682-82BBA7DD4300} - C:\Program Files\My Ad Blocker\ADBlocker.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [csrssLevel4] C:\Windows\System\Level4\csrss.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [BDOESRV] C:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender8\bdnagent.exe
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Vdwbsei] C:\WINDOWS\System32\l?[bleep].exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - HKCU\..\Run: [Itca] C:\Program Files\trhe\bsec.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: ดาวน์โหลดทั้งหมดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: ดาวน์โหลดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23....es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {C3531026-459D-48A9-A8C0-37E9BF56AE44} (ClientX Control) - http://www.thaigo.in...tProj1_thai.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredim...er/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C105CFA5-50A3-4012-81B1-C0AEB2235947}: NameServer = 69.50.176.196,195.225.176.110
O21 - SSODL: CANONBJ_Deinstall_CNMCP58.DLL - {CDBFA441-0DAB-CEB4-6A49-C02F949A729D} - c:\bjprinter\cnmwindows\canon i560 installer\inst2\winlkebu32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

[Excal]

Hi Petterflet,

TomNJ had to leave town unexpectedly and asked me to take over your log. I aplogize for the wait you had. Can you please let me know what type of problems you are having and post a fresh HiJackthis log.


Thanks,



Excal

[Petterflet]

Thanks Excal, I first of all had a problem with stubborn SpySheriff and my desktop background was constantly hijacked. Then my Task Manager wasn't working, it said that my "Task Manager has been disable by administrator" and I also had a problem with "Quick Launch" that wasn't working as well. I do not know why.

Here is my fresh HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:01:20 PM, on 8/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Philipus\My Documents\My Received Files\Takki Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R3 - URLSearchHook: (no name) - _{2451A86F-EF0E-F6E4-31BD-DCA460AB7322} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: IEGuarder PopupKiller - {D2A944E9-1043-44AA-8682-82BBA7DD4300} - C:\Program Files\My Ad Blocker\ADBlocker.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [csrssLevel4] C:\Windows\System\Level4\csrss.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [BDOESRV] C:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender8\bdnagent.exe
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Vdwbsei] C:\WINDOWS\System32\l?[bleep].exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - HKCU\..\Run: [Itca] C:\Program Files\trhe\bsec.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: ดาวน์โหลดทั้งหมดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: ดาวน์โหลดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23....es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {C3531026-459D-48A9-A8C0-37E9BF56AE44} (ClientX Control) - http://www.thaigo.in...tProj1_thai.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredim...er/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C105CFA5-50A3-4012-81B1-C0AEB2235947}: NameServer = 69.50.176.196,195.225.176.110
O21 - SSODL: CANONBJ_Deinstall_CNMCP58.DLL - {CDBFA441-0DAB-CEB4-6A49-C02F949A729D} - c:\bjprinter\cnmwindows\canon i560 installer\inst2\winlkebu32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Thanks in advance!
Takki Petterflet

[Excal]

Hi Petterflet,


DOWNLOAD PROGRAMS

Download CWShredder here to its own folder.

Update CWShredder

• Open CWShredder and click I AGREE
• Click Check For Update
• Close CWShredder

We will be using this program later.

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.

Please download ewido security suite it is a trial version of the program.

• Install ewido security suite
• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Then click on Start Update

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates


THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Open up and run Ewido:

• Click on scanner
• Click Complete System Scan and the scan will begin.
• During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
• When the scan is finished, look at the bottom of the screen and click the Save report button.
• Save the report to your desktop

Close Ewido

5. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

6. Close all browsers, windows and unneeded programs.

7. Open HiJack and do a scan.

8. Put a Check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://allstarsearch.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allstarsearch.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://allstarsearch.net
R3 - URLSearchHook: (no name) - _{2451A86F-EF0E-F6E4-31BD-DCA460AB7322} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll (file missing)
O2 - BHO: IEGuarder PopupKiller - {D2A944E9-1043-44AA-8682-82BBA7DD4300} - C:\Program Files\My Ad Blocker\ADBlocker.dll
O4 - HKLM\..\Run: [csrssLevel4] C:\Windows\System\Level4\csrss.exe
O4 - HKCU\..\Run: [Vdwbsei] C:\WINDOWS\System32\l?[bleep].exe
O4 - HKCU\..\Run: [Itca] C:\Program Files\trhe\bsec.exe
O13 - Home Prefix: http://allstarsearch.net/gall.php?url=
O13 - Mosaic Prefix: http://allstarsearch.net/gall.php?url=
O17 - HKLM\System\CCS\Services\Tcpip\..\{C105CFA5-50A3-4012-81B1-C0AEB2235947}: NameServer = 69.50.176.196,195.225.176.110
O21 - SSODL: CANONBJ_Deinstall_CNMCP58.DLL - {CDBFA441-0DAB-CEB4-6A49-C02F949A729D} - c:\bjprinter\cnmwindows\canon i560 installer\inst2\winlkebu32.dll (file missing)

If you did not put these two sites into trusted zone, please check them off also:
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)

9. click the Fix Checked box

10. Please remove the following folders using Windows Explorer (if present):

C:\Program Files\trhe
C:\Windows\System\Level4

11. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\System32\l?[bleep].exe <====I am not sure what this file it, becasue the profanity blocker has Bleeped it out. You are going to have to look on your HiJackthis log to identify this file.

12. Run the program CleanUp!

13. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

14. Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.

[Petterflet]

Below is the report from Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:27:03 AM, 8/2/2005
+ Report-Checksum: D7030CCE

+ Scan result:

C:\Documents and Settings\Philipus\Local Settings\Temporary Internet Files\Content.IE5\W56Z85M7\stat[2].htm -> TrojanDownloader.Agent.e : Cleaned with backup


::Report End

The C:\WINDOWS\System32\l?[bleep].exe is actually "lsa-ss.exe" without "-" which I can locate it by using Windows Explorer but failed to delete.

CleanUp! freed about 252 MB of Temporary files.

Here is the scan report from ActiveScan:


Incident Status Location

Adware:adware/azesearch No disinfected C:\WINDOWS\SYSTEM32\ztoolbar.xml
Adware:adware/admess No disinfected C:\WINDOWS\SYSTEM32\tmp3.txt
Adware:adware/adsmart No disinfected C:\WINDOWS\SYSTEM32\vx.tll
Adware:adware/nowfind No disinfected C:\WINDOWS\SYSTEM32\wcnl32.dll
Adware:adware/craft No disinfected C:\WINDOWS\SYSTEM32\mscnf.dll
Spyware:spyware/betterinet No disinfected C:\WINDOWS\SYSTEM32\msexnpfi.exe
Spyware:spyware/wareout No disinfected C:\WINDOWS\SYSTEM32\loadctr32.exe
Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\FAVORITES\AdultGambling.url
Adware:adware/cws.searchmeup No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\Spyware Remover.url
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\msxct1.ini
Adware:adware/ilookup No disinfected C:\DOCUMENTS AND SETTINGS\PHILIPUS\FAVORITES\Gambling
Adware:adware/topconvert No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TPUSN
Spyware:spyware/surfsidekick No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SURFSIDEKICK3
Adware:adware/g-search No disinfected HKEY_CLASSES_ROOT\CLSID\{03B1C4D9-BC71-8916-38AD-9DEA5D213614}
Adware:adware/novo No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\CDM
Adware:adware/mediatickets No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING\TRUST DATABASE\0\PPCIMDNNNJBEAHEPFABJIPFGINLOEDKG EGCKAK
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe

Last but not least, the HijackThis report:

Logfile of HijackThis v1.99.1
Scan saved at 11:18:38 AM, on 8/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\Philipus\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Philipus\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Documents and Settings\Philipus\My Documents\My Received Files\Takki Security\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [BDOESRV] C:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender8\bdnagent.exe
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: ดาวน์โหลดทั้งหมดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: ดาวน์โหลดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23....es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {C3531026-459D-48A9-A8C0-37E9BF56AE44} (ClientX Control) - http://www.thaigo.in...tProj1_thai.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredim...er/imloader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

By the way, the SpySheriff seemed to be gone. Still, I have problems with Task Manager and Quick Launch.

Thanks,
Takki P.

Edited by Petterflet, 01 August 2005 - 10:45 PM.

[Excal]

Takki,

You DO NOT want to delete C:\WINDOWS\System32"lsa-ss.exe" without "-". Thats a valid windows file.

Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

(replace the $$ with ss please )

dir C:\WINDOWS\system32\l?a$$.exe /a h > files.txt
notepad files.txt

Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log.

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at above REGEDIT 4.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TPUSN]

[-HKEY_LOCAL_MACHINE\SOFTWARE\SURFSIDEKICK3]

[-HKEY_CLASSES_ROOT\CLSID\{03B1C4D9-BC71-8916-38AD-9DEA5D213614}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\CDM]

[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING\TRUST DATABASE\0\PPCIMDNNNJBEAHEPFABJIPFGINLOEDKG EGCKAK]

Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".


Please remove the following folders using Windows Explorer (if present):

C:\DOCUMENTS AND SETTINGS\ALL USERS\FAVORITES\AdultGambling.url
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\Spyware Remover.url
C:\DOCUMENTS AND SETTINGS\PHILIPUS\FAVORITES\Gambling

• Open HiJackThis
  
• Click on the configure button on the bottom right
  
• Click on the tab "Misc Tools"
  
• Click on "Delete File on Reboot"
  
• Navigate to this file - C:\WINDOWS\msxct1.ini
  
• Double click on that file.
  
• HJT asks you if you want to reboot, now. Click "no".
  
  Do that for the following files also, until you get to the last one, then click "yes" when HJT asks you to reboot.

C:\WINDOWS\SYSTEM32\ztoolbar.xml
C:\WINDOWS\SYSTEM32\tmp3.txt
C:\WINDOWS\system32\Shex.exe
C:\WINDOWS\SYSTEM32\vx.tll
C:\WINDOWS\SYSTEM32\wcnl32.dll
C:\WINDOWS\SYSTEM32\mscnf.dll
C:\WINDOWS\SYSTEM32\msexnpfi.exe
C:\WINDOWS\SYSTEM32\loadctr32.exe

Still, I have problems with Task Manager and Quick Launch.

Can you tell me exactly what your problems with these are?


Thanks,



Excal

[Petterflet]

Here is the contents in the Notepad:

Volume in drive C is SYSTEM
Volume Serial Number is E864-7923

Directory of C:\WINDOWS\system32

08/28/2002 08:41 PM 11,776 lsass.exe
1 File(s) 11,776 bytes

Directory of C:\Documents and Settings\Philipus\Desktop

And the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:43:40 AM, on 8/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Windows\System\Level4\csrss.exe
C:\Program Files\Windows Media Player\Skins\WindowsMediaSkin\Data\Level4\smss.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Philipus\My Documents\My Received Files\Takki Security\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [BDOESRV] C:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender8\bdnagent.exe
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [smssLevel4] C:\Program Files\Windows Media Player\Skins\WindowsMediaSkin\Data\Level4\smss.exe
O4 - HKLM\..\Run: [csrssLevel4] C:\Windows\System\Level4\csrss.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: ดาวน์โหลดทั้งหมดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: ดาวน์โหลดโดยใช้ FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23....es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {C3531026-459D-48A9-A8C0-37E9BF56AE44} (ClientX Control) - http://www.thaigo.in...tProj1_thai.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredim...er/imloader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


The problem with Task Manager and Quick Launch is that when I press Ctrl+Alt+Del there will be a popped up window saying that "Task manager has been disable by your admisistration", when I right click on the Windows Taskbar I see the Task Manager in gray (unclickable). The same goes with Quick Launch, it just disappeared from the Taskbar and in the Taskbar properties is also unclickable.

Should I try typing "scf /scannow" in Start>Run? I tried it once then it asked me to put Windows XP SP1 in, I did so and it said it's not the CD it wanted to.

Thanks in advance for your help!

Cheers!
Takki

[Excal]

That might be a non malware realted issue, and lets address that as soon as we clean u up

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  • C:\WINDOWS\SYSTEM\lsass.exe
• Click on the submit button
  
• Please post the results in your next reply.

[Petterflet]

Excal,

It said "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

I tried upload C:\WINDOWS\system32\lsass.exe instead, Jotti found nothing in it.

Thanks
Takki

Edited by Petterflet, 07 August 2005 - 06:49 PM.