Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

psguard problem (I think) [RESOLVED]

Started by eagle99 , Jul 22 2005 09:25 AM

  • This topic is locked This topic is locked

#1
eagle99
Posted 22 July 2005 - 09:25 AM

eagle99

    Member

  • Member
  • PipPip
  • 58 posts
Hello and thanks for helping.
Despite having Norton Internet Security, I believe my computer has become infected with the psguard thing. I have downloaded and run ewido which helped but it seems that the computer still has some problems. For example:
every time I run ewido it seems to find another infected file.
My wallpaper has some warning message that was never there before and I have no way to change it.
The system seems to get slugish (faster than it used to)

Like I said I have run ewido, in addition I have run ad-aware, cleanUp40, CWShredder and the hijackthis utility.

I am posting the hijackthis results below.
Thanks for taking a look, you guys are great!


Logfile of HijackThis v1.99.1
Scan saved at 6:02:55 PM, on 7/22/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\util\Norton Internet Security 2003\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
F:\util\Norton Internet Security 2003\ccPxySvc.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
g:\ewido\security suite\ewidoctrl.exe
F:\mysql\bin\mysqld-nt.exe
F:\util\Norton AntiVirus 2003\navapsvc.exe
F:\util\Norton AntiVirus 2003\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
F:\util\Norton AntiVirus 2003\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\sys_progs\ATI Multimedia\RemCtrl\ATIX10.exe
C:\sys_prog\HP CD-DVD\Umbrella\hpcdtray.exe
C:\sys_prog\hewlett-packard\hp precisionscan\PrecisionScan\HPLamp.exe
F:\miss\Say the Time\SayTime.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\rundll32.exe
F:\sound\Winamp5\winampa.exe
F:\sound\TotalRecorder42\TotRecSched.exe
C:\WINNT\System32\atiptaxx.exe
F:\util\SUPERN~1\SUPERNOTES.EXE
F:\video\QuickTime\qttask.exe
C:\WINNT\System32\wuamwin.exe
C:\WINNT\System32\internat.exe
C:\winnt\bjxaxiv.exe
F:\util\TaskZip\TaskZip.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\3Com\3Com OfficeConnect Wireless 11g USB Adapter Utility\drivers\WIN2K\3COMU11GMonitor.exe
F:\miss\ATnotes\ATnotes.exe
F:\Palm\HOTSYNC.EXE
F:\mysql\bin\winmysqladmin.exe
F:\Corel\wp11\Programs\wpwin11.exe
F:\util\Total Commander XP\TOTALCMD.EXE
G:\aa_stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/
R3 - URLSearchHook: LookSmart Toolbar - {CC8C8F4F-F2E8-404B-A43D-5CC57876A008} - F:\modem\eXeem\LookSmart Toolbar\toolbar.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\WINNT\Speech\Dragon\web_ie.dll
O2 - BHO: XBTB01232 Class - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - F:\modem\eXeem\LOOKSM~1\toolbar.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\util\Norton AntiVirus 2003\NavShExt.dll
O2 - BHO: Bridge Class - {E479EDE1-923E-11D3-B82B-00E09871521B} - F:\modem\Compass\CompassIE.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\util\Norton AntiVirus 2003\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - G:\zend_Studio\bin\ZendIEToolbar.dll
O3 - Toolbar: Torrent Search IE Toolbar - {C9D0879E-F33F-4CA8-9137-6F2A0AEDCFB9} - C:\Program Files\Torrent Search IE Toolbar\torrent_search.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: LookSmart Toolbar - {CC8C8F4F-F2E8-404B-A43D-5CC57876A008} - F:\modem\eXeem\LookSmart Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunServices: [microsoft server base] lass.exe
O4 - HKLM\..\RunServices: [Microsoft Hosting Service] winhosting.exe
O4 - HKLM\..\RunServices: [RSPC Driver] utne.exe
O4 - HKLM\..\RunServices: [ioroxxo microsoft sux] system32,1.exe
O4 - HKLM\..\RunServices: [Mircosoft Update] wuampkd.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update2] wuamwin.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [ioroxxo microsoft sux] system32,1.exe
O4 - HKCU\..\Run: [RSPC Driver] utne.exe
O4 - HKCU\..\Run: [Microsoft Hosting Service] winhosting.exe
O4 - HKCU\..\Run: [microsoft server base] lass.exe
O4 - HKCU\..\Run: [gcttaij] c:\winnt\bjxaxiv.exe
O4 - HKCU\..\Run: [yvrfuie] c:\winnt\yiivbei.exe
O4 - HKCU\..\Run: [hedscgm] c:\winnt\yiivbei.exe
O4 - HKCU\..\Run: [ahvdrbo] c:\winnt\yiivbei.exe
O4 - HKCU\..\Run: [ixdxdbi] c:\winnt\bhyasff.exe
O4 - HKCU\..\Run: [clvkrps] c:\winnt\bhyasff.exe
O4 - HKCU\..\Run: [nvxbjcm] c:\winnt\bhyasff.exe
O4 - HKCU\..\Run: [mhncfts] c:\winnt\bhyasff.exe
O4 - HKCU\..\Run: [epvghse] c:\winnt\bhyasff.exe
O4 - HKCU\..\Run: [yrilawi] c:\winnt\xdvvutv.exe
O4 - Startup: ATnotes.lnk = F:\miss\ATnotes\ATnotes.exe
O4 - Startup: HotSync Manager.lnk = F:\Palm\HOTSYNC.EXE
O4 - Startup: WinMySQLadmin.lnk = F:\mysql\bin\winmysqladmin.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Office2k\Office10\OSA.EXE
O4 - Global Startup: TaskZip.lnk = F:\util\TaskZip\TaskZip.exe
O4 - Global Startup: 3Com OfficeConnect Wireless 11g USB Adapter Utility.lnk = C:\Program Files\3Com\3Com OfficeConnect Wireless 11g USB Adapter Utility\drivers\WIN2K\3COMU11GMonitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\Office2k\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Zend Studio - Debug current page - res://G:\zend_Studio\bin\ZendIEToolbar.dll/DebugCurrent.html
O8 - Extra context menu item: Zend Studio - Debug next page - res://G:\zend_Studio\bin\ZendIEToolbar.dll/DebugNext.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\sys_progs\ati multimedia\TV\EXPLBAR.DLL
O9 - Extra button: CUseeMe Conferencing Companion - {44EFB53C-C965-43CF-9F45-52242D134187} - f:\modem\cuseeme\Amigo.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\modem\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\modem\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - F:\modem\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - F:\modem\ICQ\ICQ.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Torrent Search IE Toolbar - {C9D0879E-F33F-4CA8-9137-6F2A0AEDCFB9} - C:\Program Files\Torrent Search IE Toolbar\torrent_search.dll
O9 - Extra 'Tools' menuitem: Torrent Search IE Toolbar - {C9D0879E-F33F-4CA8-9137-6F2A0AEDCFB9} - C:\Program Files\Torrent Search IE Toolbar\torrent_search.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - F:\modem\SMARTW~1\SWMSIE~1.EXE
O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - F:\modem\SMARTW~1\SWMSIE~1.EXE
O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - F:\modem\SMARTW~1\SWMSIE~1.EXE
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - F:\miss\FLASHD~2\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - F:\miss\FLASHD~2\iebt.dll (HKCU)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c283.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/c...cult3d/cult.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akam...loadManager.ocx
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://kotelcam.virt...m/wg_webeye.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...c/bin/cabsa.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://toolbar.azese...l/azesearch.cab
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - F:\util\Norton Internet Security 2003\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - g:\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - F:/mysql/bin/mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\util\Norton AntiVirus 2003\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - F:\util\Norton Internet Security 2003\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - F:\util\Norton AntiVirus 2003\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - F:\util\Norton AntiVirus 2003\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements

#2
tampabelle
Posted 22 July 2005 - 10:27 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP, or Service Pack 4 if you are running Win2k. Without this update, you're wide open to re-infection, and we're both just wasting our time.

Click here

Apply the update, reboot, and post a fresh Hijack This log.
  • 0

#3
eagle99
Posted 23 July 2005 - 12:03 PM

eagle99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Thanks for the reply. When I try to install the update I get the setup Error:
the file c:\winnt\system32\drivers\atapi.sys is open or in use by another application.

The only program that I am running is IE.

How can I find the program that is open and disable it?

Thanks.
  • 0

#4
tampabelle
Posted 23 July 2005 - 12:23 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi eagle99,


Lets leave that for now then.


Place a shortcut to Panda ActiveScan on your desktop.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Open Ad-aware and do a full scan. Remove all it finds.


Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!

Save the scan log and post it along with a new HijackThis Log by using Add Reply.

Edited by tampabelle, 23 July 2005 - 12:24 PM.

  • 0

#5
eagle99
Posted 23 July 2005 - 08:09 PM

eagle99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
I followed your steps and have posted the logs below.



Incident Status Location

Adware:Adware/Startpage.WH No disinfected C:\WINNT\LJAXMGR.EXE
Adware:Adware/Startpage.WH No disinfected C:\WINNT\LFKTGSI.EXE
Adware:Adware/Startpage.WH No disinfected C:\WINNT\XDVVUTV.EXE
Adware:Adware/Startpage.WH No disinfected C:\WINNT\BHYASFF.EXE
Adware:Adware/Startpage.WH No disinfected C:\WINNT\YIIVBEI.EXE
Spyware:Spyware/IESearchToolbarNo disinfected C:\Program Files\Torrent Search IE Toolbar\torrent_search.dll
Adware:Adware/Startpage.WH No disinfected C:\winnt\bjxaxiv.exe
Virus:W32/Gaobot.gen.worm Disinfected Operating system
Adware:adware/findspy No disinfected C:\DOCUMENTS AND SETTINGS\MDR\FAVORITES\ Free Spy Cam - Realtime.url
Adware:adware/perfect-search No disinfected C:\DOCUMENTS AND SETTINGS\MDR\FAVORITES\ADULT\Escorts.url
Adware:adware/startpage.lh No disinfected C:\DOCUMENTS AND SETTINGS\MDR\FAVORITES\ADULT\Single Girls.url
Adware:adware/psguard No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\PSGuard spyware remover.lnk
Adware:adware/sahagent No disinfected C:\WINNT\unstall.exe
Spyware:spyware/new.net No disinfected C:\PROGRAM FILES\NewDotNet
Adware:adware/navhelper No disinfected C:\PROGRAM FILES\NavExcel
Adware:adware/wupd No disinfected C:\PROGRAM FILES\Admilli Service
Adware:adware/searchrelevancy No disinfected C:\PROGRAM FILES\SearchRelevant
Adware:adware/whenusearch No disinfected C:\PROGRAM FILES\COMMON FILES\WhenU
Adware:adware/ucontrol No disinfected C:\PROGRAM FILES\COMMON FILES\UControl
Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\MDR\FAVORITES\Adult
Adware:adware/ilookup No disinfected C:\DOCUMENTS AND SETTINGS\MDR\FAVORITES\Gambling
Spyware:spyware/cydoor No disinfected C:\WINNT\SYSTEM32\AdCache
Adware:adware/brilliantdigitalNo disinfected C:\WINNT\BDE
Adware:adware/looksmart No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\XBTB01232.XBTB01232TOOLBAR
Adware:adware/netpals No disinfected HKEY_CURRENT_USER\SOFTWARE\DESTINY
Adware:adware/sidestep No disinfected HKEY_CURRENT_USER\SOFTWARE\SIDESTEP
Spyware:spyware/dyfuca No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\INTERNET OPTIMIZER
Adware:adware/powerscan No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\BANDREST
Adware:adware/topsearch4u No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
Adware:adware/toolbarsimbar No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{a26abcf0-1c8f-46e7-a67c-0489dc21b9cc}
Adware:Adware/nCase No disinfected C:\WINNT\system32\ncase2.dll
Adware:Adware/Specofer No disinfected C:\WINNT\system32\httppost.exe
Virus:Trj/Zapchast.D Disinfected C:\WINNT\system32\c.bat
Virus:W32/Gaobot.AQN.worm Disinfected C:\WINNT\system32\winupdate.exe
Virus:W32/Sdbot.DWJ.worm Disinfected C:\WINNT\system32\TFTP1508
Adware:Adware/Startpage.WH No disinfected C:\WINNT\system32\ucistntd.exe
Adware:Adware/Startpage.WH No disinfected C:\WINNT\xdvvutv.exe
Adware:Adware/Startpage.WH No disinfected C:\WINNT\lfktgsi.exe
Adware:Adware/Startpage.WH No disinfected C:\WINNT\yiivbei.exe
Adware:Adware/Startpage.WH No disinfected C:\WINNT\bhyasff.exe
Adware:Adware/Startpage.WH No disinfected C:\WINNT\ljaxmgr.exe
Adware:Adware/Startpage.WH No disinfected C:\WINNT\fbpoxfh.exe
Adware:Adware/Startpage.WH No disinfected C:\WINNT\bjxaxiv.exe
Virus:W32/Gaobot.gen.worm Disinfected C:\Documents and Settings\MDR\Local Settings\Temp\F7.tmp
Virus:W32/Sdbot.DWJ.worm Disinfected C:\Documents and Settings\MDR\Local Settings\Temp\327.tmp
Spyware:Spyware/New.net No disinfected C:\Program Files\FirstLook\FirstLook.exe
Spyware:Spyware/IESearchToolbarNo disinfected C:\Program Files\Torrent Search IE Toolbar\torrent_search.dll
Adware:Adware/SearchRelevancy No disinfected C:\Program Files\SearchRelevant\uninstall.exe
Adware:Adware/MediaTickets No disinfected C:\eied_s7.cab[eied_s7_c_190.exe]
Virus:Natas.4788 Disinfected D:\aa_cd\five inch disks\games\QTEXT.ZIP[HEB_EGA.COM]
Adware:Adware/Aureate-Radiate No disinfected D:\dwnload\search_for_crack\WebCopier version 2.2\webcopyr.zip[data1.cab][ADIMAGE.DLL]
Adware:Adware/Aureate-Radiate No disinfected D:\dwnload\search_for_crack\WebCopier version 2.2\webcopyr.zip[data1.cab][MSIPCSV.EXE]
Adware:Adware/Aureate-Radiate No disinfected D:\dwnload\search_for_crack\WebCopier version 2.2\webcopyr.zip[data1.cab][HTMDENG.EXE]
Adware:Adware/Aureate-Radiate No disinfected D:\dwnload\search_for_crack\WebCopier version 2.2\webcopyr.zip[data1.cab][IPCClient.dll]
Adware:Adware/Aureate-Radiate No disinfected D:\dwnload\search_for_crack\WebCopier version 2.2\webcopyr.zip[data1.cab][TFDE.DLL]
Adware:Adware/eZula No disinfected D:\dwnload\dwn_sav\aaa_needtosort\iMeshV3.exe
Virus:W32/Bagle.AW.worm Disinfected Personal Folders\Deleted Items\foto\foto.zip[foto.htm]
Virus:W32/Eyeveg.D.worm Disinfected Personal Folders\Deleted Items\image\image.zip[image.jpg .scr]
Virus:JS/Illwill.A Disinfected Personal Folders\Inbox\new_price.zip[price.html]
Virus:W32/Bagle.AM.worm Disinfected Personal Folders\Inbox\new_price.zip[price.exe]
Virus:Trj/Mitglieder.DQ Disinfected Personal Folders\Inbox\The picture is sent on SMS\Legs.zip[f22-013.exe]
Adware:Adware/SideStep No disinfected F:\modem\iMesh\Client\SbCIe025.dll
Adware:Adware/FavoriteMan No disinfected F:\modem\iMesh\Client\Favapp.dll
Adware:Adware/eZula No disinfected F:\modem\iMesh\Client\TTIL_imesh.exe
Spyware:Spyware/New.net No disinfected F:\modem\iMesh\Client\imesh_336.exe
Adware:Adware/SideStep No disinfected F:\modem\iMesh\Client\SbCIe026.dll






Logfile of HijackThis v1.99.1
Scan saved at 5:14:37 AM, on 7/24/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\util\Norton Internet Security 2003\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
F:\util\Norton Internet Security 2003\ccPxySvc.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
g:\ewido\security suite\ewidoctrl.exe
F:\mysql\bin\mysqld-nt.exe
F:\util\Norton AntiVirus 2003\navapsvc.exe
F:\util\Norton AntiVirus 2003\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
F:\util\Norton AntiVirus 2003\SAVScan.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\sys_progs\ATI Multimedia\RemCtrl\ATIX10.exe
C:\sys_prog\HP CD-DVD\Umbrella\hpcdtray.exe
C:\sys_prog\hewlett-packard\hp precisionscan\PrecisionScan\HPLamp.exe
F:\miss\Say the Time\SayTime.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\rundll32.exe
F:\sound\Winamp5\winampa.exe
F:\sound\TotalRecorder42\TotRecSched.exe
C:\WINNT\System32\atiptaxx.exe
F:\util\SUPERN~1\SUPERNOTES.EXE
F:\video\QuickTime\qttask.exe
C:\WINNT\System32\internat.exe
C:\winnt\bjxaxiv.exe
F:\util\TaskZip\TaskZip.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\3Com\3Com OfficeConnect Wireless 11g USB Adapter Utility\drivers\WIN2K\3COMU11GMonitor.exe
F:\miss\ATnotes\ATnotes.exe
F:\Palm\HOTSYNC.EXE
F:\mysql\bin\winmysqladmin.exe
F:\miss\kluach\kaluach.exe
F:\modem\mozilla\firefox.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
F:\util\Total Commander XP\TOTALCMD.EXE
F:\modem\Compass\Compass.exe
F:\util\TEXTPA~1\TextPad.exe
F:\Corel\wp11\Programs\wpwin11.exe
G:\aa_stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/
R3 - URLSearchHook: LookSmart Toolbar - {CC8C8F4F-F2E8-404B-A43D-5CC57876A008} - F:\modem\eXeem\LookSmart Toolbar\toolbar.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\WINNT\Speech\Dragon\web_ie.dll
O2 - BHO: XBTB01232 Class - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - F:\modem\eXeem\LOOKSM~1\toolbar.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\util\Norton AntiVirus 2003\NavShExt.dll
O2 - BHO: Bridge Class - {E479EDE1-923E-11D3-B82B-00E09871521B} - F:\modem\Compass\CompassIE.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\util\Norton AntiVirus 2003\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - G:\zend_Studio\bin\ZendIEToolbar.dll
O3 - Toolbar: Torrent Search IE Toolbar - {C9D0879E-F33F-4CA8-9137-6F2A0AEDCFB9} - C:\Program Files\Torrent Search IE Toolbar\torrent_search.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: LookSmart Toolbar - {CC8C8F4F-F2E8-404B-A43D-5CC57876A008} - F:\modem\eXeem\LookSmart Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunServices: [microsoft server base] lass.exe
O4 - HKLM\..\RunServices: [Microsoft Hosting Service] winhosting.exe
O4 - HKLM\..\RunServices: [RSPC Driver] utne.exe
O4 - HKLM\..\RunServices: [ioroxxo microsoft sux] system32,1.exe
O4 - HKLM\..\RunServices: [Mircosoft Update] wuampkd.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update2] wuamwin.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [ioroxxo microsoft sux] system32,1.exe
O4 - HKCU\..\Run: [RSPC Driver] utne.exe
O4 - HKCU\..\Run: [Microsoft Hosting Service] winhosting.exe
O4 - HKCU\..\Run: [microsoft server base] lass.exe
O4 - HKCU\..\Run: [gcttaij] c:\winnt\bjxaxiv.exe
O4 - HKCU\..\Run: [yvrfuie] c:\winnt\yiivbei.exe
O4 - HKCU\..\Run: [hedscgm] c:\winnt\yiivbei.exe
O4 - HKCU\..\Run: [ahvdrbo] c:\winnt\yiivbei.exe
O4 - HKCU\..\Run: [ixdxdbi] c:\winnt\bhyasff.exe
O4 - HKCU\..\Run: [clvkrps] c:\winnt\bhyasff.exe
O4 - HKCU\..\Run: [nvxbjcm] c:\winnt\bhyasff.exe
O4 - HKCU\..\Run: [mhncfts] c:\winnt\bhyasff.exe
O4 - HKCU\..\Run: [epvghse] c:\winnt\bhyasff.exe
O4 - HKCU\..\Run: [yrilawi] c:\winnt\xdvvutv.exe
O4 - HKCU\..\Run: [vacbatr] c:\winnt\xdvvutv.exe
O4 - HKCU\..\Run: [mikotcv] c:\winnt\xdvvutv.exe
O4 - HKCU\..\Run: [xjqlfsu] c:\winnt\xdvvutv.exe
O4 - HKCU\..\Run: [etytvkh] c:\winnt\xdvvutv.exe
O4 - HKCU\..\Run: [nwawgjr] c:\winnt\xdvvutv.exe
O4 - HKCU\..\Run: [qiekfyc] c:\winnt\lfktgsi.exe
O4 - HKCU\..\Run: [kelpsnk] c:\winnt\lfktgsi.exe
O4 - HKCU\..\Run: [gelchbr] c:\winnt\lfktgsi.exe
O4 - HKCU\..\Run: [wbthlpj] c:\winnt\lfktgsi.exe
O4 - HKCU\..\Run: [jljtxmv] c:\winnt\lfktgsi.exe
O4 - HKCU\..\Run: [klbbhon] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [aupwitd] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [derkjma] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [owmbxtd] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [wegrqrj] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [nfmedwp] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [qsterck] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [yksaqgd] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [vpknjwt] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [gfoaxkf] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [cbbfmsb] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [wuabuku] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [bhtiavi] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [tcxgatm] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [tcfrxem] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [jdhttfb] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [ieufngy] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [gtghnjw] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [qxtgwck] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [xjxskho] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [oyaqfcu] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [wkyxbra] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [viijlau] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [djngmfp] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [boeajki] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [audjmeu] c:\winnt\ljaxmgr.exe
O4 - Startup: ATnotes.lnk = F:\miss\ATnotes\ATnotes.exe
O4 - Startup: HotSync Manager.lnk = F:\Palm\HOTSYNC.EXE
O4 - Startup: WinMySQLadmin.lnk = F:\mysql\bin\winmysqladmin.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Office2k\Office10\OSA.EXE
O4 - Global Startup: TaskZip.lnk = F:\util\TaskZip\TaskZip.exe
O4 - Global Startup: 3Com OfficeConnect Wireless 11g USB Adapter Utility.lnk = C:\Program Files\3Com\3Com OfficeConnect Wireless 11g USB Adapter Utility\drivers\WIN2K\3COMU11GMonitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\Office2k\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Zend Studio - Debug current page - res://G:\zend_Studio\bin\ZendIEToolbar.dll/DebugCurrent.html
O8 - Extra context menu item: Zend Studio - Debug next page - res://G:\zend_Studio\bin\ZendIEToolbar.dll/DebugNext.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\sys_progs\ati multimedia\TV\EXPLBAR.DLL
O9 - Extra button: CUseeMe Conferencing Companion - {44EFB53C-C965-43CF-9F45-52242D134187} - f:\modem\cuseeme\Amigo.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\modem\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\modem\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - F:\modem\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - F:\modem\ICQ\ICQ.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Torrent Search IE Toolbar - {C9D0879E-F33F-4CA8-9137-6F2A0AEDCFB9} - C:\Program Files\Torrent Search IE Toolbar\torrent_search.dll
O9 - Extra 'Tools' menuitem: Torrent Search IE Toolbar - {C9D0879E-F33F-4CA8-9137-6F2A0AEDCFB9} - C:\Program Files\Torrent Search IE Toolbar\torrent_search.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - F:\modem\SMARTW~1\SWMSIE~1.EXE
O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - F:\modem\SMARTW~1\SWMSIE~1.EXE
O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - F:\modem\SMARTW~1\SWMSIE~1.EXE
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - F:\miss\FLASHD~2\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - F:\miss\FLASHD~2\iebt.dll (HKCU)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c283.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/c...cult3d/cult.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akam...loadManager.ocx
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://kotelcam.virt...m/wg_webeye.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...c/bin/cabsa.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://toolbar.azese...l/azesearch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89B631F8-CB67-4ADF-9A06-A2965B178264}: NameServer = 192.115.106.35 62.219.186.7
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - F:\util\Norton Internet Security 2003\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - g:\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - F:/mysql/bin/mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\util\Norton AntiVirus 2003\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - F:\util\Norton Internet Security 2003\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - F:\util\Norton AntiVirus 2003\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - F:\util\Norton AntiVirus 2003\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#6
tampabelle
Posted 24 July 2005 - 06:58 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi eagle99,


Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

DelDomains.inf
about:buster by RubbeRDuckY.
CWShredder.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
2. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R3 - URLSearchHook: LookSmart Toolbar - {CC8C8F4F-F2E8-404B-A43D-5CC57876A008} - F:\modem\eXeem\LookSmart Toolbar\toolbar.dll (file missing)
O2 - BHO: XBTB01232 Class - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - F:\modem\eXeem\LOOKSM~1\toolbar.dll (file missing)
O3 - Toolbar: LookSmart Toolbar - {CC8C8F4F-F2E8-404B-A43D-5CC57876A008} - F:\modem\eXeem\LookSmart Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\RunServices: [microsoft server base] lass.exe
O4 - HKLM\..\RunServices: [Microsoft Hosting Service] winhosting.exe
O4 - HKLM\..\RunServices: [RSPC Driver] utne.exe
O4 - HKLM\..\RunServices: [ioroxxo microsoft sux] system32,1.exe
O4 - HKLM\..\RunServices: [Mircosoft Update] wuampkd.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update2] wuamwin.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [ioroxxo microsoft sux] system32,1.exe
O4 - HKCU\..\Run: [RSPC Driver] utne.exe
O4 - HKCU\..\Run: [Microsoft Hosting Service] winhosting.exe
O4 - HKCU\..\Run: [microsoft server base] lass.exe
O4 - HKCU\..\Run: [gcttaij] c:\winnt\bjxaxiv.exe
O4 - HKCU\..\Run: [yvrfuie] c:\winnt\yiivbei.exe
O4 - HKCU\..\Run: [hedscgm] c:\winnt\yiivbei.exe
O4 - HKCU\..\Run: [ahvdrbo] c:\winnt\yiivbei.exe
O4 - HKCU\..\Run: [ixdxdbi] c:\winnt\bhyasff.exe
O4 - HKCU\..\Run: [clvkrps] c:\winnt\bhyasff.exe
O4 - HKCU\..\Run: [nvxbjcm] c:\winnt\bhyasff.exe
O4 - HKCU\..\Run: [mhncfts] c:\winnt\bhyasff.exe
O4 - HKCU\..\Run: [epvghse] c:\winnt\bhyasff.exe
O4 - HKCU\..\Run: [yrilawi] c:\winnt\xdvvutv.exe
O4 - HKCU\..\Run: [vacbatr] c:\winnt\xdvvutv.exe
O4 - HKCU\..\Run: [mikotcv] c:\winnt\xdvvutv.exe
O4 - HKCU\..\Run: [xjqlfsu] c:\winnt\xdvvutv.exe
O4 - HKCU\..\Run: [etytvkh] c:\winnt\xdvvutv.exe
O4 - HKCU\..\Run: [nwawgjr] c:\winnt\xdvvutv.exe
O4 - HKCU\..\Run: [qiekfyc] c:\winnt\lfktgsi.exe
O4 - HKCU\..\Run: [kelpsnk] c:\winnt\lfktgsi.exe
O4 - HKCU\..\Run: [gelchbr] c:\winnt\lfktgsi.exe
O4 - HKCU\..\Run: [wbthlpj] c:\winnt\lfktgsi.exe
O4 - HKCU\..\Run: [jljtxmv] c:\winnt\lfktgsi.exe
O4 - HKCU\..\Run: [klbbhon] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [aupwitd] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [derkjma] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [owmbxtd] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [wegrqrj] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [nfmedwp] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [qsterck] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [yksaqgd] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [vpknjwt] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [gfoaxkf] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [cbbfmsb] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [wuabuku] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [bhtiavi] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [tcxgatm] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [tcfrxem] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [jdhttfb] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [ieufngy] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [gtghnjw] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [qxtgwck] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [xjxskho] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [oyaqfcu] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [wkyxbra] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [viijlau] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [djngmfp] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [boeajki] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [audjmeu] c:\winnt\ljaxmgr.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c283.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://toolbar.azese...l/azesearch.cab

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

3. Remove Infections

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run CleanUp!Reboot your computer into normal windows.


4. Delete Rogue files

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

lass.exe
winhosting.exe
utne.exe
1.exe
wuampkd.exe
wuamwin.exe

Locate the above files using Windows Search function

c:\winnt\bjxaxiv.exe
c:\winnt\yiivbei.exe
c:\winnt\bhyasff.exe
c:\winnt\xdvvutv.exe
c:\winnt\lfktgsi.exe
c:\winnt\ljaxmgr.exe

Reboot the PC in Normal Mode.

Post a fresh HJT log along with the About Buster Log.
  • 0

#7
eagle99
Posted 24 July 2005 - 08:51 AM

eagle99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
O.K. I have done all the steps. Please note that on step 4 I could not locate the following files on any of the drives:

lass.exe
winhosting.exe
utne.exe
1.exe
wuampkd.exe
wuamwin.exe

also I got a message that I could not delte file:

c:\winnt\ljaxmgr.exe

here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:56:10 PM, on 7/24/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\util\Norton Internet Security 2003\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
F:\util\Norton Internet Security 2003\ccPxySvc.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
g:\ewido\security suite\ewidoctrl.exe
F:\mysql\bin\mysqld-nt.exe
F:\util\Norton AntiVirus 2003\navapsvc.exe
F:\util\Norton AntiVirus 2003\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
F:\util\Norton AntiVirus 2003\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\sys_progs\ATI Multimedia\RemCtrl\ATIX10.exe
C:\sys_prog\HP CD-DVD\Umbrella\hpcdtray.exe
C:\sys_prog\hewlett-packard\hp precisionscan\PrecisionScan\HPLamp.exe
F:\miss\Say the Time\SayTime.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\sound\Winamp5\winampa.exe
F:\sound\TotalRecorder42\TotRecSched.exe
C:\WINNT\System32\atiptaxx.exe
F:\util\SUPERN~1\SUPERNOTES.EXE
F:\video\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
F:\util\TaskZip\TaskZip.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\3Com\3Com OfficeConnect Wireless 11g USB Adapter Utility\drivers\WIN2K\3COMU11GMonitor.exe
F:\miss\ATnotes\ATnotes.exe
F:\Palm\HOTSYNC.EXE
F:\mysql\bin\winmysqladmin.exe
F:\util\TEXTPA~1\TextPad.exe
F:\util\Total Commander XP\TOTALCMD.EXE
G:\aa_stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\WINNT\Speech\Dragon\web_ie.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\util\Norton AntiVirus 2003\NavShExt.dll
O2 - BHO: Bridge Class - {E479EDE1-923E-11D3-B82B-00E09871521B} - F:\modem\Compass\CompassIE.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\util\Norton AntiVirus 2003\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - G:\zend_Studio\bin\ZendIEToolbar.dll
O3 - Toolbar: Torrent Search IE Toolbar - {C9D0879E-F33F-4CA8-9137-6F2A0AEDCFB9} - C:\Program Files\Torrent Search IE Toolbar\torrent_search.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [wvxbvih] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [gpqfuky] c:\winnt\ekkfanj.exe
O4 - Startup: ATnotes.lnk = F:\miss\ATnotes\ATnotes.exe
O4 - Startup: HotSync Manager.lnk = F:\Palm\HOTSYNC.EXE
O4 - Startup: WinMySQLadmin.lnk = F:\mysql\bin\winmysqladmin.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Office2k\Office10\OSA.EXE
O4 - Global Startup: TaskZip.lnk = F:\util\TaskZip\TaskZip.exe
O4 - Global Startup: 3Com OfficeConnect Wireless 11g USB Adapter Utility.lnk = C:\Program Files\3Com\3Com OfficeConnect Wireless 11g USB Adapter Utility\drivers\WIN2K\3COMU11GMonitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\Office2k\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Zend Studio - Debug current page - res://G:\zend_Studio\bin\ZendIEToolbar.dll/DebugCurrent.html
O8 - Extra context menu item: Zend Studio - Debug next page - res://G:\zend_Studio\bin\ZendIEToolbar.dll/DebugNext.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\sys_progs\ati multimedia\TV\EXPLBAR.DLL
O9 - Extra button: CUseeMe Conferencing Companion - {44EFB53C-C965-43CF-9F45-52242D134187} - f:\modem\cuseeme\Amigo.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\modem\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\modem\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - F:\modem\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - F:\modem\ICQ\ICQ.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Torrent Search IE Toolbar - {C9D0879E-F33F-4CA8-9137-6F2A0AEDCFB9} - C:\Program Files\Torrent Search IE Toolbar\torrent_search.dll
O9 - Extra 'Tools' menuitem: Torrent Search IE Toolbar - {C9D0879E-F33F-4CA8-9137-6F2A0AEDCFB9} - C:\Program Files\Torrent Search IE Toolbar\torrent_search.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - F:\modem\SMARTW~1\SWMSIE~1.EXE
O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - F:\modem\SMARTW~1\SWMSIE~1.EXE
O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - F:\modem\SMARTW~1\SWMSIE~1.EXE
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - F:\miss\FLASHD~2\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - F:\miss\FLASHD~2\iebt.dll (HKCU)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/c...cult3d/cult.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akam...loadManager.ocx
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://kotelcam.virt...m/wg_webeye.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...c/bin/cabsa.cab
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - F:\util\Norton Internet Security 2003\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - g:\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - F:/mysql/bin/mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\util\Norton AntiVirus 2003\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - F:\util\Norton Internet Security 2003\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - F:\util\Norton AntiVirus 2003\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - F:\util\Norton AntiVirus 2003\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#8
tampabelle
Posted 24 July 2005 - 10:04 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi eagle99,

Step 1
Right click on the file DelDomains.inf, which you downloaded earlier and then click on Install.

Step 2
Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://abcsearch4u.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcsearch4u.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abcsearch4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/
O4 - HKCU\..\Run: [wvxbvih] c:\winnt\ljaxmgr.exe
O4 - HKCU\..\Run: [gpqfuky] c:\winnt\ekkfanj.exe

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Step 3

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) please run Killbox.

3) Select "Delete on Reboot".

4) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

c:\winnt\ljaxmgr.exe
c:\winnt\ekkfanj.exe

5) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

6) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Post a fresh HJT log here

Edited by tampabelle, 24 July 2005 - 10:05 AM.

  • 0

#9
eagle99
Posted 24 July 2005 - 10:38 AM

eagle99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
done. here is the HJT log file

Logfile of HijackThis v1.99.1
Scan saved at 7:45:10 PM, on 7/24/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\util\Norton Internet Security 2003\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
F:\util\Norton Internet Security 2003\ccPxySvc.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
g:\ewido\security suite\ewidoctrl.exe
F:\mysql\bin\mysqld-nt.exe
F:\util\Norton AntiVirus 2003\navapsvc.exe
F:\util\Norton AntiVirus 2003\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
F:\util\Norton AntiVirus 2003\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\sys_progs\ATI Multimedia\RemCtrl\ATIX10.exe
C:\sys_prog\HP CD-DVD\Umbrella\hpcdtray.exe
C:\sys_prog\hewlett-packard\hp precisionscan\PrecisionScan\HPLamp.exe
F:\miss\Say the Time\SayTime.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\sound\Winamp5\winampa.exe
C:\WINNT\System32\rundll32.exe
F:\sound\TotalRecorder42\TotRecSched.exe
C:\WINNT\System32\atiptaxx.exe
F:\util\SUPERN~1\SUPERNOTES.EXE
F:\video\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
F:\util\TaskZip\TaskZip.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\3Com\3Com OfficeConnect Wireless 11g USB Adapter Utility\drivers\WIN2K\3COMU11GMonitor.exe
F:\miss\ATnotes\ATnotes.exe
F:\Palm\HOTSYNC.EXE
F:\mysql\bin\winmysqladmin.exe
F:\util\TEXTPA~1\TextPad.exe
F:\util\Total Commander XP\TOTALCMD.EXE
G:\aa_stuff\virus free\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\WINNT\Speech\Dragon\web_ie.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\util\Norton AntiVirus 2003\NavShExt.dll
O2 - BHO: Bridge Class - {E479EDE1-923E-11D3-B82B-00E09871521B} - F:\modem\Compass\CompassIE.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\util\Norton AntiVirus 2003\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - G:\zend_Studio\bin\ZendIEToolbar.dll
O3 - Toolbar: Torrent Search IE Toolbar - {C9D0879E-F33F-4CA8-9137-6F2A0AEDCFB9} - C:\Program Files\Torrent Search IE Toolbar\torrent_search.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: ATnotes.lnk = F:\miss\ATnotes\ATnotes.exe
O4 - Startup: HotSync Manager.lnk = F:\Palm\HOTSYNC.EXE
O4 - Startup: WinMySQLadmin.lnk = F:\mysql\bin\winmysqladmin.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Office2k\Office10\OSA.EXE
O4 - Global Startup: TaskZip.lnk = F:\util\TaskZip\TaskZip.exe
O4 - Global Startup: 3Com OfficeConnect Wireless 11g USB Adapter Utility.lnk = C:\Program Files\3Com\3Com OfficeConnect Wireless 11g USB Adapter Utility\drivers\WIN2K\3COMU11GMonitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\Office2k\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Zend Studio - Debug current page - res://G:\zend_Studio\bin\ZendIEToolbar.dll/DebugCurrent.html
O8 - Extra context menu item: Zend Studio - Debug next page - res://G:\zend_Studio\bin\ZendIEToolbar.dll/DebugNext.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\sys_progs\ati multimedia\TV\EXPLBAR.DLL
O9 - Extra button: CUseeMe Conferencing Companion - {44EFB53C-C965-43CF-9F45-52242D134187} - f:\modem\cuseeme\Amigo.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\modem\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\modem\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - F:\modem\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - F:\modem\ICQ\ICQ.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Torrent Search IE Toolbar - {C9D0879E-F33F-4CA8-9137-6F2A0AEDCFB9} - C:\Program Files\Torrent Search IE Toolbar\torrent_search.dll
O9 - Extra 'Tools' menuitem: Torrent Search IE Toolbar - {C9D0879E-F33F-4CA8-9137-6F2A0AEDCFB9} - C:\Program Files\Torrent Search IE Toolbar\torrent_search.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - F:\modem\SMARTW~1\SWMSIE~1.EXE
O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - F:\modem\SMARTW~1\SWMSIE~1.EXE
O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - F:\modem\SMARTW~1\SWMSIE~1.EXE
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - F:\miss\FLASHD~2\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - F:\miss\FLASHD~2\iebt.dll (HKCU)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/c...cult3d/cult.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akam...loadManager.ocx
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://kotelcam.virt...m/wg_webeye.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...c/bin/cabsa.cab
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - F:\util\Norton Internet Security 2003\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - g:\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - F:/mysql/bin/mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\util\Norton AntiVirus 2003\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - F:\util\Norton Internet Security 2003\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - F:\util\Norton AntiVirus 2003\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - F:\util\Norton AntiVirus 2003\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#10
tampabelle
Posted 24 July 2005 - 11:02 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi eagle99,


Run Hijack This and click on scan. The following items need to be fixed -

O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.


How is your PC behaving now ????
  • 0

Advertisements

#11
eagle99
Posted 24 July 2005 - 11:48 AM

eagle99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
The system seems to be running much better. I guess I had a few problems that you miraculously figured out. I seem to still have a corrupted desktop wallpaper (that says “Warning your computer might be infected.....) that I can’t seem to change. Any ideas on how to fix that?
Thanks.

I am also sending the log file.


Logfile of HijackThis v1.99.1
Scan saved at 8:56:58 PM, on 7/24/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\util\Norton Internet Security 2003\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
F:\util\Norton Internet Security 2003\ccPxySvc.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
g:\ewido\security suite\ewidoctrl.exe
F:\mysql\bin\mysqld-nt.exe
F:\util\Norton AntiVirus 2003\navapsvc.exe
F:\util\Norton AntiVirus 2003\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
F:\util\Norton AntiVirus 2003\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\sys_progs\ATI Multimedia\RemCtrl\ATIX10.exe
C:\sys_prog\HP CD-DVD\Umbrella\hpcdtray.exe
C:\sys_prog\hewlett-packard\hp precisionscan\PrecisionScan\HPLamp.exe
F:\miss\Say the Time\SayTime.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\sound\Winamp5\winampa.exe
C:\WINNT\System32\rundll32.exe
F:\sound\TotalRecorder42\TotRecSched.exe
C:\WINNT\System32\atiptaxx.exe
F:\util\SUPERN~1\SUPERNOTES.EXE
F:\video\QuickTime\qttask.exe
F:\util\TaskZip\TaskZip.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\3Com\3Com OfficeConnect Wireless 11g USB Adapter Utility\drivers\WIN2K\3COMU11GMonitor.exe
F:\miss\ATnotes\ATnotes.exe
F:\Palm\HOTSYNC.EXE
F:\mysql\bin\winmysqladmin.exe
F:\util\TEXTPA~1\TextPad.exe
F:\util\Total Commander XP\TOTALCMD.EXE
F:\modem\mozilla\firefox.exe
C:\WINNT\System32\wuamwin.exe
F:\Corel\wp11\Programs\wpwin11.exe
G:\aa_stuff\virus free\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\WINNT\Speech\Dragon\web_ie.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\util\Norton AntiVirus 2003\NavShExt.dll
O2 - BHO: Bridge Class - {E479EDE1-923E-11D3-B82B-00E09871521B} - F:\modem\Compass\CompassIE.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\util\Norton AntiVirus 2003\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - G:\zend_Studio\bin\ZendIEToolbar.dll
O3 - Toolbar: Torrent Search IE Toolbar - {C9D0879E-F33F-4CA8-9137-6F2A0AEDCFB9} - C:\Program Files\Torrent Search IE Toolbar\torrent_search.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunServices: [Microsoft Windows Update2] wuamwin.exe
O4 - Startup: ATnotes.lnk = F:\miss\ATnotes\ATnotes.exe
O4 - Startup: HotSync Manager.lnk = F:\Palm\HOTSYNC.EXE
O4 - Startup: WinMySQLadmin.lnk = F:\mysql\bin\winmysqladmin.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Office2k\Office10\OSA.EXE
O4 - Global Startup: TaskZip.lnk = F:\util\TaskZip\TaskZip.exe
O4 - Global Startup: 3Com OfficeConnect Wireless 11g USB Adapter Utility.lnk = C:\Program Files\3Com\3Com OfficeConnect Wireless 11g USB Adapter Utility\drivers\WIN2K\3COMU11GMonitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\Office2k\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Zend Studio - Debug current page - res://G:\zend_Studio\bin\ZendIEToolbar.dll/DebugCurrent.html
O8 - Extra context menu item: Zend Studio - Debug next page - res://G:\zend_Studio\bin\ZendIEToolbar.dll/DebugNext.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\sys_progs\ati multimedia\TV\EXPLBAR.DLL
O9 - Extra button: CUseeMe Conferencing Companion - {44EFB53C-C965-43CF-9F45-52242D134187} - f:\modem\cuseeme\Amigo.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\modem\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\modem\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - F:\modem\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - F:\modem\ICQ\ICQ.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Torrent Search IE Toolbar - {C9D0879E-F33F-4CA8-9137-6F2A0AEDCFB9} - C:\Program Files\Torrent Search IE Toolbar\torrent_search.dll
O9 - Extra 'Tools' menuitem: Torrent Search IE Toolbar - {C9D0879E-F33F-4CA8-9137-6F2A0AEDCFB9} - C:\Program Files\Torrent Search IE Toolbar\torrent_search.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - F:\modem\SMARTW~1\SWMSIE~1.EXE
O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - F:\modem\SMARTW~1\SWMSIE~1.EXE
O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - F:\modem\SMARTW~1\SWMSIE~1.EXE
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - F:\miss\FLASHD~2\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - F:\miss\FLASHD~2\iebt.dll (HKCU)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/c...cult3d/cult.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akam...loadManager.ocx
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://kotelcam.virt...m/wg_webeye.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...c/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89B631F8-CB67-4ADF-9A06-A2965B178264}: NameServer = 62.219.186.7 192.115.106.35
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - F:\util\Norton Internet Security 2003\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - g:\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - F:/mysql/bin/mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\util\Norton AntiVirus 2003\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - F:\util\Norton Internet Security 2003\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - F:\util\Norton AntiVirus 2003\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - F:\util\Norton AntiVirus 2003\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#12
tampabelle
Posted 24 July 2005 - 11:59 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi eagle99,


Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows.

Let me know how it goes !!!!!!!
  • 0

#13
eagle99
Posted 24 July 2005 - 12:42 PM

eagle99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
My boring but beautiful blue background is back. Awesome! I even rebooted the computer to make sure it would stay, and it did.
Thank you for your time and patience.
How can I avoid an attach like this in the future? I have Norton with a firewall and antivirous? Do you recommend anything?



smitRem log file
version 2.2

by noahdfear

The current date is: Sun 07/24/2005
The current time is: 21:27:17.79

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

PSGuard spyware remover
PSGuard spyware remover.lnk
quick launch PSGuard spyware remover.lnk


~~~ Favorites ~~~

adult
shopping


~~~ system32 folder ~~~

oleext.dll
wppp.html
logfiles


~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~

adult
shopping


~~~ system32 folder ~~~

oleext.dll
wppp.html
logfiles


~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN!
  • 0

#14
tampabelle
Posted 24 July 2005 - 02:32 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi eagle99,

Reboot the PC in Safe Mode.

Locate and delete the files -

C:\WinNT\system32\oleext.dll
C:\WinNT\system32\wppp.html

Let me know how it goes
  • 0

#15
eagle99
Posted 24 July 2005 - 03:21 PM

eagle99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Everything seems to be working. I guess I should use a different firewall so this does not happen again.
This site is a great resource!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP