Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Startpage-DU.dll [CLOSED]


  • This topic is locked This topic is locked

#1
Carerra

Carerra

    Member

  • Member
  • PipPip
  • 17 posts
Hi all,

I have this Startpage-DU infection that Macafee keeps telling me it has caught but it constantly keeps re-appearing, My startpage is also changed to about Blank, I have tried to search on the forums about the same problem as me and have tried installing a few packages, the problem is still here,

Pls pls help,

Here is my Log,

Logfile of HijackThis v1.99.1
Scan saved at 00:15:01, on 20/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\khhjq.dll/sp.html#55135
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\khhjq.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {03986A99-8487-BF06-A53A-7D6D4ED76483} - C:\WINDOWS\netdi32.dll
O2 - BHO: Class - {1DD3D11A-3109-1C20-8BD5-58F5241F1766} - C:\WINDOWS\atlaw32.dll (file missing)
O2 - BHO: Class - {427792FE-C50B-E431-ABCE-3735EA006792} - C:\WINDOWS\system32\apiaj32.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Class - {5A197AF4-5935-49F9-0E5B-5ABD9A8F62AD} - C:\WINDOWS\system32\atlde.dll
O2 - BHO: Class - {78EDB338-80F0-E154-CA26-10AA2CB7B816} - C:\WINDOWS\system32\apprs.dll
O2 - BHO: Class - {8A235E4F-CBA3-E0AF-678D-29D9ABA51389} - C:\WINDOWS\system32\appod.dll
O2 - BHO: Class - {D313C43F-6956-1BDC-13C5-B32E2A8D2325} - C:\WINDOWS\apide32.dll
O2 - BHO: Class - {D53BE37F-3A2E-270B-1A0A-66FD4B4BEE2F} - C:\WINDOWS\sysfm32.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [javasm32.exe] C:\WINDOWS\system32\javasm32.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKLM\..\RunOnce: [sdkfc.exe] C:\WINDOWS\sdkfc.exe
O4 - HKLM\..\RunOnce: [appju32.exe] C:\WINDOWS\system32\appju32.exe
O4 - HKLM\..\RunOnce: [netwh.exe] C:\WINDOWS\system32\netwh.exe
O4 - HKLM\..\RunOnce: [iebg.exe] C:\WINDOWS\iebg.exe
O4 - HKLM\..\RunOnce: [ieig.exe] C:\WINDOWS\ieig.exe
O4 - HKLM\..\RunOnce: [crag32.exe] C:\WINDOWS\crag32.exe
O4 - HKLM\..\RunOnce: [ntyj32.exe] C:\WINDOWS\system32\ntyj32.exe
O4 - HKLM\..\RunOnce: [mfcja.exe] C:\WINDOWS\system32\mfcja.exe
O4 - HKLM\..\RunOnce: [apirg32.exe] C:\WINDOWS\system32\apirg32.exe
O4 - HKLM\..\RunOnce: [ipwk.exe] C:\WINDOWS\system32\ipwk.exe
O4 - HKLM\..\RunOnce: [netft32.exe] C:\WINDOWS\system32\netft32.exe
O4 - HKLM\..\RunOnce: [d3xp.exe] C:\WINDOWS\system32\d3xp.exe
O4 - HKLM\..\RunOnce: [netli32.exe] C:\WINDOWS\netli32.exe
O4 - HKLM\..\RunOnce: [winqm32.exe] C:\WINDOWS\system32\winqm32.exe
O4 - HKLM\..\RunOnce: [netty32.exe] C:\WINDOWS\netty32.exe
O4 - HKLM\..\RunOnce: [netyy.exe] C:\WINDOWS\netyy.exe
O4 - HKLM\..\RunOnce: [addup.exe] C:\WINDOWS\system32\addup.exe
O4 - HKLM\..\RunOnce: [d3ar.exe] C:\WINDOWS\system32\d3ar.exe
O4 - HKLM\..\RunOnce: [netba.exe] C:\WINDOWS\netba.exe
O4 - HKLM\..\RunOnce: [ntzc32.exe] C:\WINDOWS\ntzc32.exe
O4 - HKLM\..\RunOnce: [iezz32.exe] C:\WINDOWS\iezz32.exe
O4 - HKLM\..\RunOnce: [atlpm.exe] C:\WINDOWS\atlpm.exe
O4 - HKLM\..\RunOnce: [addzc32.exe] C:\WINDOWS\addzc32.exe
O4 - HKLM\..\RunOnce: [mfcgy32.exe] C:\WINDOWS\system32\mfcgy32.exe
O4 - HKLM\..\RunOnce: [ntwf.exe] C:\WINDOWS\system32\ntwf.exe
O4 - HKLM\..\RunOnce: [d3sj32.exe] C:\WINDOWS\system32\d3sj32.exe
O4 - HKLM\..\RunOnce: [addft32.exe] C:\WINDOWS\system32\addft32.exe
O4 - HKLM\..\RunOnce: [ipid32.exe] C:\WINDOWS\system32\ipid32.exe
O4 - HKLM\..\RunOnce: [ntco.exe] C:\WINDOWS\ntco.exe
O4 - HKLM\..\RunOnce: [sysuo32.exe] C:\WINDOWS\system32\sysuo32.exe
O4 - HKLM\..\RunOnce: [nthz32.exe] C:\WINDOWS\system32\nthz32.exe
O4 - HKLM\..\RunOnce: [winhp.exe] C:\WINDOWS\system32\winhp.exe
O4 - HKLM\..\RunOnce: [ipnz32.exe] C:\WINDOWS\ipnz32.exe
O4 - HKLM\..\RunOnce: [javanf.exe] C:\WINDOWS\system32\javanf.exe
O4 - HKLM\..\RunOnce: [ipcu.exe] C:\WINDOWS\system32\ipcu.exe
O4 - HKLM\..\RunOnce: [javapw.exe] C:\WINDOWS\javapw.exe
O4 - HKLM\..\RunOnce: [mfcdg.exe] C:\WINDOWS\system32\mfcdg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4A8F223-6868-46CA-AFF9-3962450528F4}: NameServer = 194.72.0.114 194.74.65.69
O18 - Filter hijack: application/octet-stream - (no CLSID) - (no file)
O18 - Filter hijack: application/x-complus - (no CLSID) - (no file)
O18 - Filter hijack: application/x-msdownload - (no CLSID) - (no file)
O18 - Filter hijack: Class Install Handler - (no CLSID) - (no file)
O18 - Filter hijack: deflate - (no CLSID) - (no file)
O18 - Filter hijack: gzip - (no CLSID) - (no file)
O18 - Filter hijack: lzdhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O23 - Service: Workstation NetLogon Service ( 11F色#렉켯`I) - Unknown owner - C:\WINDOWS\sdkfc.exe" /s (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


thx in advance!!!! :tazz:
  • 0

Advertisements


#2
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Welcome to Geeks to Go!. Sorry about the delay in getting to your post, we have been very busy.

Do you still require help or are your problems resolved?

Please let me know and if you still require assistance, please post a fresh HJT log.

Regards,

kool808
  • 0

#3
Carerra

Carerra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi Kool!!! thanks for getting back to me, The problems seemed to have stopped although explorer has a problem with pop up windows, in other words it wont open any, javascript problem maybe, im a noob and you maybe able to tell from my new log if i am Clean or not :tazz:

Thanks in advance

Logfile of HijackThis v1.99.1
Scan saved at 11:58:39, on 23/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
D:\Program Files\Winamp\winamp.exe
D:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {1DD3D11A-3109-1C20-8BD5-58F5241F1766} - blank (file missing)
O2 - BHO: Class - {427792FE-C50B-E431-ABCE-3735EA006792} - blank (file missing)
O2 - BHO: Class - {5A197AF4-5935-49F9-0E5B-5ABD9A8F62AD} - blank (file missing)
O2 - BHO: Class - {78EDB338-80F0-E154-CA26-10AA2CB7B816} - blank (file missing)
O2 - BHO: Class - {8A235E4F-CBA3-E0AF-678D-29D9ABA51389} - blank (file missing)
O2 - BHO: Class - {D313C43F-6956-1BDC-13C5-B32E2A8D2325} - blank (file missing)
O2 - BHO: Class - {D53BE37F-3A2E-270B-1A0A-66FD4B4BEE2F} - blank (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4A8F223-6868-46CA-AFF9-3962450528F4}: NameServer = 194.72.0.114 194.74.65.69
O18 - Filter hijack: application/octet-stream - (no CLSID) - (no file)
O18 - Filter hijack: application/x-complus - (no CLSID) - (no file)
O18 - Filter hijack: application/x-msdownload - (no CLSID) - (no file)
O18 - Filter hijack: Class Install Handler - (no CLSID) - (no file)
O18 - Filter hijack: deflate - (no CLSID) - (no file)
O18 - Filter hijack: gzip - (no CLSID) - (no file)
O18 - Filter hijack: lzdhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  • 0

#4
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
++++++++++++++++++++++++++++++++++++++++++++
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Please read the instructions for About:Buster then download it to a safe location where you can easily remember it.
Please Download the stand-alone version of CoolWebShredder
Download Cleanup.

Save all of these files somewhere you will remember like to the Desktop.

Run the CleanUp! installer. You dont need to do anything with it right now. Do NOT run it yet.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Reboot in SAFE MODE. (How to boot in Safe Mode...)
================================================
Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {1DD3D11A-3109-1C20-8BD5-58F5241F1766} - blank (file missing)
O2 - BHO: Class - {427792FE-C50B-E431-ABCE-3735EA006792} - blank (file missing)
O2 - BHO: Class - {5A197AF4-5935-49F9-0E5B-5ABD9A8F62AD} - blank (file missing)
O2 - BHO: Class - {78EDB338-80F0-E154-CA26-10AA2CB7B816} - blank (file missing)
O2 - BHO: Class - {8A235E4F-CBA3-E0AF-678D-29D9ABA51389} - blank (file missing)
O2 - BHO: Class - {D313C43F-6956-1BDC-13C5-B32E2A8D2325} - blank (file missing)
O2 - BHO: Class - {D53BE37F-3A2E-270B-1A0A-66FD4B4BEE2F} - blank (file missing)

O18 - Filter hijack: application/octet-stream - (no CLSID) - (no file)
O18 - Filter hijack: application/x-complus - (no CLSID) - (no file)
O18 - Filter hijack: application/x-msdownload - (no CLSID) - (no file)
O18 - Filter hijack: Class Install Handler - (no CLSID) - (no file)
O18 - Filter hijack: deflate - (no CLSID) - (no file)
O18 - Filter hijack: gzip - (no CLSID) - (no file)
O18 - Filter hijack: lzdhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)

Make sure to double check the items you have selected, then click Fix Checked.
================================================

Please run about:buster by RubbeRDuckY:
  • Click Begin Removal.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files. Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky Online Scan or if that doesnt work, you can have an On-line scan at this sites:
Trend Micro or Panda Scan or BitDefender.
(Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

Good Luck!
  • 0

#5
Carerra

Carerra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Gez, Thanks kool, ok gimme a while to sort this out, :tazz:

Edited by Carerra, 23 July 2005 - 06:14 PM.

  • 0

#6
Carerra

Carerra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hiya again Kool, Ok here goes, did what you said and here are the new logs,


First i'll start with a Hijack this Log


Logfile of HijackThis v1.99.1
Scan saved at 01:11:08, on 24/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\ABC\abc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4A8F223-6868-46CA-AFF9-3962450528F4}: NameServer = 194.72.0.114 194.74.65.69
O18 - Filter hijack: application/octet-stream - (no CLSID) - (no file)
O18 - Filter hijack: application/x-complus - (no CLSID) - (no file)
O18 - Filter hijack: application/x-msdownload - (no CLSID) - (no file)
O18 - Filter hijack: Class Install Handler - (no CLSID) - (no file)
O18 - Filter hijack: deflate - (no CLSID) - (no file)
O18 - Filter hijack: gzip - (no CLSID) - (no file)
O18 - Filter hijack: lzdhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


and here is my Buster Log

AboutBuster 5.0 reference file 31
Scan started on [24/07/2005] at [00:10:07]
------------------------------------------------
Removed Stream! C:\WINDOWS\_ISNU.INI:hztter
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 00:11:46


AboutBuster 5.0 reference file 31
Scan started on [24/07/2005] at [00:15:47]
------------------------------------------------
Removed Stream! C:\WINDOWS\_ISNU.INI:iapemm
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 00:17:25



and here is what Bitdefender said after a scan of windows, I disnt do a whole scan as i didnt have the hours :tazz:

BitDefender Online Scanner



Scan report generated at: Sun, Jul 24, 2005 - 01:07:02





Scan path: C:\WINDOWS;







Statistics

Time
00:25:56

Files
62877

Folders
1047

Boot Sectors
4

Archives
574

Packed Files
4994




Results

Identified Viruses
1

Infected Files
1

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
1




Engines Info

Virus Definitions
196476

Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins
13

Archive plugins
39

Unpack plugins
4

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\WINDOWS\$hf_mig$\KB896358\SP2QFE\itss.dll
Clean

C:\WINDOWS\$hf_mig$\KB896358\spmsg.dll
Clean

C:\WINDOWS\$hf_mig$\KB896358\update\update.exe
Clean

C:\WINDOWS\$hf_mig$\KB896358\update\updspapi.dll
Clean

C:\WINDOWS\$hf_mig$\KB896422\SP2QFE\srv.sys
Clean

C:\WINDOWS\$hf_mig$\KB896422\spmsg.dll
Clean

C:\WINDOWS\$hf_mig$\KB896422\spuninst.exe
Clean

C:\WINDOWS\$hf_mig$\KB896422\update\spcustom.dll
Clean

C:\WINDOWS\$hf_mig$\KB896422\update\update.exe
Clean

C:\WINDOWS\$hf_mig$\KB896422\update\updspapi.dll
Clean

C:\WINDOWS\$hf_mig$\KB896428\SP2QFE\telnet.exe
Clean

C:\WINDOWS\$hf_mig$\KB896428\spmsg.dll
Clean

C:\WINDOWS\$hf_mig$\KB896428\spuninst.exe
Clean

C:\WINDOWS\$hf_mig$\KB896428\update\spcustom.dll
Clean

C:\WINDOWS\$hf_mig$\KB896428\update\update.exe
Clean

C:\WINDOWS\$hf_mig$\KB896428\update\updspapi.dll
Clean

C:\WINDOWS\$hf_mig$\KB898461\spmsg.dll
Clean

C:\WINDOWS\$hf_mig$\KB898461\spuninst.exe
Clean

C:\WINDOWS\$hf_mig$\KB898461\spupdsvc.exe
Clean

C:\WINDOWS\$hf_mig$\KB898461\update\spcustom.dll
Clean

C:\WINDOWS\$hf_mig$\KB898461\update\update.exe
Clean

C:\WINDOWS\$hf_mig$\KB898461\update\updspapi.dll
Clean

C:\WINDOWS\$hf_mig$\KB901214\SP2QFE\icm32.dll
Clean

C:\WINDOWS\$hf_mig$\KB901214\SP2QFE\mscms.dll
Clean

C:\WINDOWS\$hf_mig$\KB901214\spmsg.dll
Clean

C:\WINDOWS\$hf_mig$\KB901214\spuninst.exe
Clean

C:\WINDOWS\$hf_mig$\KB901214\update\spcustom.dll
Clean

C:\WINDOWS\$hf_mig$\KB901214\update\update.exe
Clean

C:\WINDOWS\$hf_mig$\KB901214\update\updspapi.dll
Clean

C:\WINDOWS\$MSI31Uninstall_KB893803$\msi.dll
Clean

C:\WINDOWS\$MSI31Uninstall_KB893803$\msiexec.exe
Clean

C:\WINDOWS\$MSI31Uninstall_KB893803$\msihnd.dll
Clean

C:\WINDOWS\system32\ShellExt\CNTR.EXE
Infected with: Trojan.Redial.A

C:\WINDOWS\system32\ShellExt\CNTR.EXE
Disinfection failed

C:\WINDOWS\system32\ShellExt\CNTR.EXE
Deleted


Hope all of this helps buddy and im so gratful for the help!!!!

Edited by Carerra, 23 July 2005 - 06:14 PM.

  • 0

#7
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts

and here is what Bitdefender said after a scan of windows, I disnt do a whole scan as i didnt have the hours

.::::. Then you would have let the malwares have all the time to keep themselves then!

We will redo this with another strategy.


Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
++++++++++++++++++++++++++++++++++++++++++++

1.) Download SpSeHjfix HERE
Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

2.) Please download the trial version of Ewido Security Suite 3.5 here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.


Reboot in SAFE MODE. (How to boot in Safe Mode...)

++++++++ STEP 1 ++++++++
Please run about:buster by RubbeRDuckY:
  • Click Begin Removal.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

++++++++ STEP 2 ++++++++
Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

++++++++ STEP 3 ++++++++
Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

++++++++ STEP 4 ++++++++
Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

++++++++ STEP 5 ++++++++
Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

O18 - Filter hijack: application/octet-stream - (no CLSID) - (no file)
O18 - Filter hijack: application/x-complus - (no CLSID) - (no file)
O18 - Filter hijack: application/x-msdownload - (no CLSID) - (no file)
O18 - Filter hijack: Class Install Handler - (no CLSID) - (no file)
O18 - Filter hijack: deflate - (no CLSID) - (no file)
O18 - Filter hijack: gzip - (no CLSID) - (no file)
O18 - Filter hijack: lzdhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)


Make sure to double check the items you have selected, then click Fix Checked.

++++++++ STEP 6 ++++++++
Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files. Reboot your computer into normal windows.

++++++++++++++++++++++++++++++++++++++++++++
Reboot back in NORMAL MODE.

Have an online scan with Panda Scan this time. .:Panda Scan:.

Please separate each logs with a title above them.

  • Close all windows, open HijackThis then SCAN.
  • Post a NEW HijackThis Log.
  • Post the result from SpSeHjfix
  • Post the report from Ewido Security Suite.
  • Post the results from Panda Scan.
  • Please tell me how your system is working now.

  • 0

#8
Carerra

Carerra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi Kool, Ok i have done everything you have said,

Heres the new hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 21:10:16, on 24/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4A8F223-6868-46CA-AFF9-3962450528F4}: NameServer = 194.72.0.114 194.74.65.69
O18 - Filter hijack: application/octet-stream - (no CLSID) - (no file)
O18 - Filter hijack: application/x-complus - (no CLSID) - (no file)
O18 - Filter hijack: application/x-msdownload - (no CLSID) - (no file)
O18 - Filter hijack: Class Install Handler - (no CLSID) - (no file)
O18 - Filter hijack: deflate - (no CLSID) - (no file)
O18 - Filter hijack: gzip - (no CLSID) - (no file)
O18 - Filter hijack: lzdhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe



Just so you know i fixed the 018 Values and it seems there back again?




***********SpSeHjfix LOG*************************************



(7/19/05 23:58:25) SPSeHjFix started v1.1.2
(7/19/05 23:58:25) OS: WinXP Service Pack 2 (5.1.2600)
(7/19/05 23:58:25) Language: english
(7/19/05 23:58:25) Win-Path: C:\WINDOWS
(7/19/05 23:58:25) System-Path: C:\WINDOWS\system32
(7/19/05 23:58:25) Temp-Path: C:\DOCUME~1\LOUISA~1\LOCALS~1\Temp\
(7/19/05 23:58:28) Disinfection started
(7/19/05 23:58:28) Bad-Dll(IEP): c:\windows\khhjq.dll
(7/19/05 23:58:28) UBF: 7 - UBB: 8 - UBR: 45
(7/19/05 23:58:28) UBF: 7 - UBB: 8 - UBR: 45
(7/19/05 23:58:28) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\khhjq.dll/sp.html#55135
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: res://c:\windows\khhjq.dll/sp.html#55135
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\khhjq.dll/sp.html#55135
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\khhjq.dll/sp.html#55135
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: res://c:\windows\khhjq.dll/sp.html#55135
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL: res://c:\windows\khhjq.dll/sp.html#55135
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\khhjq.dll/sp.html#55135
(7/19/05 23:58:28) Stealth-String not found
(7/19/05 23:58:28) No locked Files to delete. End without Reboot
(7/19/05 23:58:40) Disinfection started
(7/19/05 23:58:40) Bad-Dll(IEP): c:\windows\khhjq.dll
(7/19/05 23:58:40) UBF: 7 - UBB: 8 - UBR: 45
(7/19/05 23:58:40) UBF: 7 - UBB: 8 - UBR: 45
(7/19/05 23:58:40) Bad IE-pages: (none)
(7/19/05 23:58:40) Stealth-String not found
(7/19/05 23:58:40) No locked Files to delete. End without Reboot
(7/19/05 23:59:20) Disinfection started
(7/19/05 23:59:20) Bad-Dll(IEP): c:\windows\khhjq.dll
(7/19/05 23:59:20) UBF: 7 - UBB: 8 - UBR: 45
(7/19/05 23:59:20) UBF: 7 - UBB: 8 - UBR: 45
(7/19/05 23:59:20) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\khhjq.dll/sp.html#55135
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: res://c:\windows\khhjq.dll/sp.html#55135
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\khhjq.dll/sp.html#55135
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: res://c:\windows\khhjq.dll/sp.html#55135
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL: res://c:\windows\khhjq.dll/sp.html#55135
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\khhjq.dll/sp.html#55135
(7/19/05 23:59:20) Stealth-String not found
(7/19/05 23:59:20) No locked Files to delete. End without Reboot


(7/19/05 23:59:48) SPSeHjFix started v1.1.2
(7/19/05 23:59:48) OS: WinXP Service Pack 2 (5.1.2600)
(7/19/05 23:59:48) Language: english
(7/19/05 23:59:48) Win-Path: C:\WINDOWS
(7/19/05 23:59:48) System-Path: C:\WINDOWS\system32
(7/19/05 23:59:48) Temp-Path: C:\DOCUME~1\LOUISA~1\LOCALS~1\Temp\
(7/19/05 23:59:49) Disinfection started
(7/19/05 23:59:49) Bad-Dll(IEP): c:\windows\khhjq.dll
(7/19/05 23:59:49) UBF: 7 - UBB: 8 - UBR: 45
(7/19/05 23:59:49) UBF: 7 - UBB: 8 - UBR: 45
(7/19/05 23:59:49) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: res://c:\windows\khhjq.dll/sp.html#55135
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\khhjq.dll/sp.html#55135
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: res://c:\windows\khhjq.dll/sp.html#55135
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_

(7/19/05 23:59:56) SPSeHjFix started v1.1.2
(7/19/05 23:59:56) OS: WinXP Service Pack 2 (5.1.2600)
(7/19/05 23:59:56) Language: english
(7/19/05 23:59:56) Win-Path: C:\WINDOWS
(7/19/05 23:59:56) System-Path: C:\WINDOWS\system32
(7/19/05 23:59:56) Temp-Path: C:\DOCUME~1\LOUISA~1\LOCALS~1\Temp\
(7/19/05 23:59:57) Disinfection started
(7/19/05 23:59:57) Bad-Dll(IEP): (not found)
(7/19/05 23:59:57) Bad-Dll(IEP) in BHO: (not found)
(7/19/05 23:59:57) UBF: 7 - UBB: 8 - UBR: 45
(7/19/05 23:59:57) UBF: 7 - UBB: 8 - UBR: 45
(7/19/05 23:59:57) Bad IE-pages: (none)
(7/19/05 23:59:57) Stealth-String not found
(7/19/05 23:59:57) Not infected->END




**********************EWIDO LOG ***************************

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 20:01:04, 24/07/2005
+ Report-Checksum: 725E112C

+ Scan result:

C:\Documents and Settings\Louis Amore\Cookies\louis amore@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Louis Amore\Cookies\louis amore@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Louis Amore\Cookies\louis amore@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\WINDOWS\_ISNU.INI:inwnc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:iodnz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:iseiw -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:iseky -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:itzma -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:iugzs -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:iwekg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:iyfph -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:iyzlg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:izdbn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:jayyc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:jchrc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:jcpwr -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:jhdim -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:jhmri -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:jhrba -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:jixhq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:jiyig -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:jlpol -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:jmduo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:jmkdf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:jqgul -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:jqgulm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:jqtgs -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:jrjsf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:jufwm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:jvrldn -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_ISNU.INI:jwiuq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:jwncr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:jwugp -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:jzjci -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:kazge -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:kdykv -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:kfmoz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:kgqmg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:kguxw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:khewo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:klfzk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:koqyo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:kphyx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:kqvwu -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:kqxju -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:krfhd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:krzfha -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:kuatr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:kvdxt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:kvgzw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:kwffh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:kwwct -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:kxfxk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:kzlkn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:kzxkb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:laake -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:lbhbue -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:ldmun -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:ldzcm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:lejtg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:lewaf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:lhzok -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:ligrn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:ljcce -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:lmxin -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:lmypq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:lnbfi -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:lnuoow -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_ISNU.INI:lpxlx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:lqieg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:ltedz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:luhxf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:lvdut -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:lvgkn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:lvrja -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:lwkas -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:lygiy -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:lzvrr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:mbiqa -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:mbisd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:mepjx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:mhdke -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:mhsti -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:mhvod -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:mkxml -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:mlqagc -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_ISNU.INI:moxkc -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:mqaao -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:mqifm -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:mrhdt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:msrrxg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:mswhw -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:murlw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:mvllge -> TrojanDownloader.Agent.bq : Cleaned with backup


::Report End



I could not run Panda Scan as Explorer wont open the pop up window for the scan my explorer only works on the Bitdefender website so i Ran it on a FULL SCAN, 4HRS, i CLEANED 1 VIRUS NO LOG PRINT OUT OF IT.


As soon Bitdefender finished the scan Mcafee said C:/System Volume information\_restore {EB5COCA7-E162-4B3E-... was infected by the Genetic Downloader.ab trojan and has been deleted to complete the clean process.


I have started running Ewido again, Macfee is finding new files bieng infected everysecond now,,, /CRY!

[bleep] this is a tough cookie!!!!!!!


I have done everything u said very carefully, :

Edited by Carerra, 24 July 2005 - 02:24 PM.

  • 0

#9
Carerra

Carerra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
1 more thing Kool, Do you think my explorer is broken is there a way to re-install it? just a thought incase i was missing some values???? Im not sure what to do
  • 0

#10
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
  • Please download FixO.exe, then save it to a safe location where you can easily remember (eg.: C:\FixO)
  • Double-click FixO.exe, extract all files it contains in the same folder as with FixO.exe
  • Double-click FixO.bat, it will then generate a Log list
  • Please post in your next reply the log list it generated.

  • 0

Advertisements


#11
Carerra

Carerra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi Kool this is what it wrote when i hit the .dat file

The system cannot find the file specified.
The system cannot find the file specified.
Could Not Find C:\Documents and Settings\Louis Amore\Desktop\New Folder (2)\FixO
\peek1.txt
Could Not Find C:\Documents and Settings\Louis Amore\Desktop\New Folder (2)\FixO
\peek2.txt

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of SMSSU.EXE

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of Tmntsrv32.EXE

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of MSIMN32.EXE

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of TASKMGRU.EXE

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2252 'iexplore.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of SPOOLSV32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of ALGU.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of SPOOLSVU.EXE

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of ALG32.EXE
Merging registry....
File not found - SMSSU.EXE
File not found - Tmntsrv32.EXE
File not found - MSIMN32.EXE
File not found - TASKMGRU.EXE
File not found - ALG32.EXE
File not found - SPOOLSVU.EXE
File not found - ALGU.EXE
File not found - SPOOLSV32.EXE
File not found - explorer32dbg.exe
File not found - iexplore_dbg.exe
File not found - bhoass.dll
File not found - BHOASSUI.exe
File not found - xmllib.dll
File not found - XMLLIBUI.exe
File not found - winadvt.dll
File not found - stlbd.dll
File not found - hosts
File not found - xmllibw.dll
File not found - atlass.dll
File not found - vv.dat
File not found - vv.exe
The system cannot find the file specified.
The system cannot find the file specified.
Could Not Find C:\Documents and Settings\Louis Amore\Desktop\peek1.txt
Could Not Find C:\Documents and Settings\Louis Amore\Desktop\peek2.txt


Ignore above messages and errors.


If you lost your taskbar and icons on your desktop after reboot,
doubleclick on restore.reg which must be in the same folder as this tool is.


Copy and paste the contents of check.txt that will open in your next reply.


Press any key to continue . . .


and after i hit a Key it genertated this,


running from ---
C:\Documents and Settings\Louis Amore\Desktop\New Folder (2)\FixO

StartPAge.O Removal batch 1.00

by miekiemoes

같같같같같같같같같같같같같같같같같같같같같같같같같같
existing bad files:
-----------------------------------------------------


existing important bad keys:
-----------------------------------------------------


Merging Registry----------


Deleting Files-------------


Searching for files not deleted:
-----------------------------------------------------


Searching for keys not deleted:
-----------------------------------------------------
  • 0

#12
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
Do NOT run it yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Do NOT run the scan yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
(How to boot in Safe Mode...)
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!

Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
  • 0

#13
Carerra

Carerra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi Kool,


heres the new Hijack log

Logfile of HijackThis v1.99.1
Scan saved at 20:00:32, on 25/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ntvdm.exe
D:\HJT\HijackThis.exe

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4A8F223-6868-46CA-AFF9-3962450528F4}: NameServer = 194.72.0.114 194.74.65.69
O18 - Filter hijack: application/octet-stream - (no CLSID) - (no file)
O18 - Filter hijack: application/x-complus - (no CLSID) - (no file)
O18 - Filter hijack: application/x-msdownload - (no CLSID) - (no file)
O18 - Filter hijack: Class Install Handler - (no CLSID) - (no file)
O18 - Filter hijack: deflate - (no CLSID) - (no file)
O18 - Filter hijack: gzip - (no CLSID) - (no file)
O18 - Filter hijack: lzdhtml - (no CLSID) - (no file)
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe



+++++++++++SMITFILES LOG+++++++++++++++=


smitRem log file
version 2.2

by noahdfear

The current date is: 25/07/2005
The current time is: 18:30:41.76

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN!
---------------------------------------------------------------------------------------




++++++++++++++EWIDO LOG++++++++++++

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 19:40:05, 25/07/2005
+ Report-Checksum: DA4419CF

+ Scan result:

:mozilla.7:C:\Documents and Settings\Louis Amore\Application Data\Mozilla\Firefox\Profiles\q8vifjt5.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Louis Amore\Application Data\Mozilla\Firefox\Profiles\q8vifjt5.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Louis Amore\Application Data\Mozilla\Firefox\Profiles\q8vifjt5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Louis Amore\Application Data\Mozilla\Firefox\Profiles\q8vifjt5.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Louis Amore\Application Data\Mozilla\Firefox\Profiles\q8vifjt5.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\WINDOWS\_ISNU.INI:rjilm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:rkafs -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:rkygm -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:rlris -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:rolzn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:ropeo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:roquu -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:rqieg -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:rrwbo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:rsmtj -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:ruylf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:rwsgg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:rxxfc -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:rylbv -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:rzqqq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:sanve -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:sbtro -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:schar -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:sdcol -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:sdhzb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:sdilv -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:sdsre -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:sfoxa -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:slgfz -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:smehj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:snjya -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:snpyy -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:spdzf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:sppnl -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:sqhznp -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_ISNU.INI:ssjgn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:ssvtx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:supze -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:svomn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:svssi -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:syint -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:syqih -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:tajga -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:tbplj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:tcjwn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:tdicqn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:tdkbs -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:tdtnn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:teqhr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:tgtrb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:thfmog -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:tinpo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:tjpbn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:tljav -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:tnqyq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:tnrdb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:tnupx -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:toesq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:tozyy -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:tsflc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:tthcv -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:tulwx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:tupal -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:twjro -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:tysnr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:tzgcv -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:uactx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:ubmnx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:ucaem -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_ISNU.INI:ucbal -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:ucdsgf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:ucmdi -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:udsgo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_ISNU.INI:ufgvr -> TrojanDownloader.Agent.bq : Cleaned with backup


::Report End


++++++++++++++++++++++++++++++

I have tried to get a scan via Panda but the scan now button doesnt lauch the pop up box, I can use Firefox to get the scan box up but Panda doesnt support Firefox,

Im thinking i may have a activex problem in explorer ? or a Java problem im not sure,

Very sorry for how long this is taking and im very very gratefull for your Help Kool,

Edited by Carerra, 25 July 2005 - 01:07 PM.

  • 0

#14
Carerra

Carerra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi again Kool, So you know, when i place my mouse over the "Scan your PC" Button on the Panda website, i get "java script:pp 1,2,63;" in the bottom left hand corner of explorer, does this tell you anything?
  • 0

#15
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Follow these steps to download and run the tool:

1. Download the FxAgentB.exe file from: HERE
2. Save the file to a convenient location, such as your Windows desktop.
3. Close all the running programs.
4. If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
5. Locate the file that you just downloaded.
6. Double-click the FxAgentB.exe file to start the removal tool.
7. When the following message appears, click OK:

Please DO NOT start any other applications until the removal tool exits and the computer is restarted. Doing so may cause reinfection.

8. Click Start to begin the process, and then allow the tool to run.
9. Restart the computer.
10. Run the removal tool again to ensure that the system is clean.
  • Close all windows, open HijackThis then SCAN.
  • Post a NEW HijackThis Log.
  • Please tell me how your system is working now.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP