Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan Removal

Started by Redlazer , Jul 19 2005 11:52 AM

  • Please log in to reply

#1
Redlazer
Posted 19 July 2005 - 11:52 AM

Redlazer

    Member

  • Member
  • PipPip
  • 82 posts
I was checking a file for a friend if it was a virus - and it was. Stupid me. Serves me right for being curious, but hey.

Ok Heres my log:

Logfile of HijackThis v1.99.1
Scan saved at 1:47:52 PM, on 7/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Fred\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamespy.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [stratas] ggfig.exe
O4 - HKLM\..\RunServices: [stratas] ggfig.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [stratas] ggfig.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.worldofwarcraft.com
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c420.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109341778421
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F8B2F78-E754-42C9-AA76-1C5E3AB70A93}: NameServer = 192.168.2.1
O20 - Winlogon Notify: WB - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Thanks again.

-Red
  • 0

Advertisements

#2
Wizard
Posted 20 July 2005 - 10:13 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi Redlazer and Welcome to GeekstoGo!

Lets see if we can sniff this bug out!

Go to Add\Remove Programs and Remove Media Gateway

Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!


Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingc...showtutorial=62


Open the Search Assistant(Click Start>>Click Search)
Select All Files and Folders,
Select Advanced Options,
Make sure there is a check by every box under Advanced Options

Now under All Files and Folders,enter this into the text box:

ggfig.exe<< Delete any exact matches!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe

O4 - HKLM\..\Run: [stratas] ggfig.exe

O4 - HKLM\..\RunServices: [stratas] ggfig.exe

O4 - HKCU\..\Run: [stratas] ggfig.exe

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c420.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

From the WinPFind folder->Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

Once the Scan is Complete->Locate the WinPFind.txt in the WinPFind folder!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>Close>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates


Post back with a fresh HijackThis log and the reports from WinPFind and Panda!
  • 0

#3
Redlazer
Posted 20 July 2005 - 03:05 PM

Redlazer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 82 posts
I didnt find any Stratas links in my logs.

However, i did the rest of my job : )

Logfile of HijackThis v1.99.1
Scan saved at 1:47:52 PM, on 7/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Media Gateway\MediaGateway.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Fred\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamespy.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [stratas] ggfig.exe
O4 - HKLM\..\RunServices: [stratas] ggfig.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [stratas] ggfig.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.worldofwarcraft.com
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c420.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109341778421
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F8B2F78-E754-42C9-AA76-1C5E3AB70A93}: NameServer = 192.168.2.1
O20 - Winlogon Notify: WB - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

WPFind
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
UPX! 5/8/2005 10:54:10 AM 61440 C:\WINDOWS\system32\a_i_037.dll
PEC2 8/23/2001 8:00:00 AM 41397 C:\WINDOWS\system32\dfrg.msc
PEC2 10/26/2004 6:38:24 PM 716800 C:\WINDOWS\system32\DivX.dll
PECompact2 10/26/2004 6:38:24 PM 716800 C:\WINDOWS\system32\DivX.dll
PECompact2 7/6/2005 10:21:30 PM 1366872 C:\WINDOWS\system32\MRT.exe
aspack 7/6/2005 10:21:30 PM 1366872 C:\WINDOWS\system32\MRT.exe
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\system32\ntdll.dll
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\system32\rasdlg.dll
UPX! 5/8/2005 10:54:18 AM 155136 C:\WINDOWS\system32\shawn_1.dll
winsync 8/23/2001 8:00:00 AM 1309184 C:\WINDOWS\system32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\system32\drivers\mtlstrm.sys
UPX! 2/18/2005 7:43:18 PM 962672 C:\WINDOWS\system32\drivers\VsapiNT.sys
aspack 2/18/2005 7:43:18 PM 962672 C:\WINDOWS\system32\drivers\VsapiNT.sys

Checking the Windows folder for system and hidden files within the last 60 days...
6/25/2005 12:50:32 AM 0 oem14.inf
7/20/2005 2:53:08 PM 8192 default.LOG
7/20/2005 2:53:22 PM 1024 SAM.LOG
7/20/2005 2:53:14 PM 12288 SECURITY.LOG
7/20/2005 3:15:44 PM 262144 software.LOG
7/20/2005 2:53:16 PM 1040384 system.LOG
7/13/2005 3:00:44 AM 1024 ntuser.dat.LOG
6/1/2005 11:44:20 PM 388 f20c6383-90b0-42e3-8b20-af2b2eb73696
6/1/2005 11:44:20 PM 24 Preferred
7/20/2005 2:52:36 PM 6 SA.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Checking Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
7/5/2005 6:12:46 PM 1553 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
2/25/2005 11:15:30 AM 1851 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
4/23/2005 2:41:56 PM 1478 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
7/5/2005 6:11:16 PM 1554 C:\Documents and Settings\Fred\Application Data\AdobeDLM.log
7/5/2005 6:11:16 PM 0 C:\Documents and Settings\Fred\Application Data\dm.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\SV1
SV1 =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\Maxthon
Maxthon =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\iebar
iebar =

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files\WinAce\arcext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Acrobat 7.0\ActiveX\PDFShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

ATICCC "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
pccguide.exe "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
POINTER point32.exe
nForce Tray Options sstray.exe /r
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
SoundMan SOUNDMAN.EXE
VirtualCloneDrive "C:\VirtualCloneDrive\VCDDaemon.exe" /s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AIM C:\Program Files\AIM\aim.exe -cnetwait.odl
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\system32\userinit.exe,
Shell Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB
= C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs wbsys.dll

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.15 - Log file written to "WinPFind.Txt" in the WinPFind folder.

Virus/Spyware Scan


Incident Status Location

Spyware:Spyware/ISTbar No disinfected C:\RECYCLER\S-1-5-21-839522115-651377827-725345543-1003\Dc129.exe
Adware:Adware/nCase No disinfected C:\RECYCLER\S-1-5-21-839522115-651377827-725345543-1003\Dc160.tmp
Adware:Adware/nCase No disinfected C:\RECYCLER\S-1-5-21-839522115-651377827-725345543-1003\Dc161.tmp
Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-839522115-651377827-725345543-1003\Dc165.exe
Spyware:Spyware/ISTbar No disinfected C:\RECYCLER\S-1-5-21-839522115-651377827-725345543-1003\Dc178.html
Spyware:Spyware/YourSiteBar No disinfected C:\RECYCLER\S-1-5-21-839522115-651377827-725345543-1003\Dc179.html
Adware:Adware/NetPals No disinfected C:\RECYCLER\S-1-5-21-839522115-651377827-725345543-1003\Dc80.tmp
Adware:Adware/NetPals No disinfected C:\RECYCLER\S-1-5-21-839522115-651377827-725345543-1003\Dc81.tmp
Adware:Adware/NetPals No disinfected C:\RECYCLER\S-1-5-21-839522115-651377827-725345543-1003\Dc82.tmp
Spyware:Spyware/ISTbar No disinfected C:\RECYCLER\S-1-5-21-839522115-651377827-725345543-1003\Dc83.exe
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
Virus:Trj/Downloader.CJX Disinfected C:\WINDOWS\system32\a_i_037.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\shawn_1.dll
Adware:Adware/SaveNow No disinfected D:\BearShare\Installer\saveinstwm.exe
Ok.. lead and i shall follow : )

-Red
  • 0

#4
Wizard
Posted 20 July 2005 - 03:42 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Please Uninstall BearShare from Add\remove Programs!

Lets play it Safe since Elitebar files are showing up!

Download LQfix
Unzip it and save it to your desktop, don't use it yet!

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Go to a Command Prompt:
Start | Run, and type Cmd and hit OK
At the prompt, type the following bold commands:
(note the spaces!!)

cd\ [hit enter]

attrib -h -s c:\recycler [Enter]

del c:\recycler [enter]


Stay in Command Prompt,type in these additional Commands


del C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll [enter]


del C:\WINDOWS\system32\shawn_1.dll

Exit Command Prompt!


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe

O4 - HKLM\..\Run: [stratas] ggfig.exe

O4 - HKLM\..\RunServices: [stratas] ggfig.exe

O4 - HKCU\..\Run: [stratas] ggfig.exe

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c420.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!


Reboot into SAFE MODE(Tap F8 when restarting)

Doubleclick LQfix.bat that you saved on your desktop before.
A doswindow will open and close again, this is normal.


Open Ewido and Scan the entire System-> Clean All it finds and Click the button to Save a report!


Restart Normal and Post a Fresh HijackThis log and the Report from Ewido
  • 0

#5
Redlazer
Posted 20 July 2005 - 06:04 PM

Redlazer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 82 posts
Ok, ill do that tonight, thanks again. But im a computer guy and am very familiar with them, so the idiot proof explanations arent necessary : )

And, im really curious, so if you explain exactly whats going on, like what Hijack This does, whats going on with the recycler, and a couple other things. So yeah, just cause im curious : )

Thanks again.

Ill post my results when i have them.

-Red
  • 0

#6
Wizard
Posted 21 July 2005 - 06:16 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
LMAO!!!

OK,so you are 1 in a million of the folks I reply to!

Most have no conception of what we are saying!

So the more 1 syllable it is,the less chance of a fubar!
  • 0

#7
Redlazer
Posted 21 July 2005 - 12:37 PM

Redlazer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 82 posts
Here we go:

Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:32:14 PM, 7/21/2005
+ Report-Checksum: 473F0B5F

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\fred@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\fred@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\fred@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\fred@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\[email protected][1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\fred@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\[email protected][1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\fred@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\fred@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\fred@paycounter[2].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\fred@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\fred@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\fred@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\fred@sexlist[1].txt -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\fred@sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\fred@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\[email protected][1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Fred\Cookies\fred@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup


::Report End


Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 2:35:03 PM, on 7/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\Object Desktop\ThemeManager\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Fred\Desktop\Shared\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamespy.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.worldofwarcraft.com
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109341778421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F8B2F78-E754-42C9-AA76-1C5E3AB70A93}: NameServer = 192.168.2.1
O20 - Winlogon Notify: WB - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

There we go!

-Red
  • 0

#8
Wizard
Posted 22 July 2005 - 02:27 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Looks Good!

Hows it running?
  • 0

#9
Redlazer
Posted 22 July 2005 - 10:19 AM

Redlazer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 82 posts
Was running very well before, I just dont like having spyware on my computer : )

Might have another machine up on here in the near future.

Thanks again!

-Red
  • 0

#10
Wizard
Posted 22 July 2005 - 11:07 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Good Deal....Go ahead and flush out the old Restore Points and Create new one!

Disable System Restore
http://service1.syma...src=sec_doc_nam

Restart the PC

Renable System Restore

Restart the PC

Have a look at this little program

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

Let me know if there is anything else I can do to help!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP