Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

REMOVING WINSTAT [CLOSED]


  • This topic is locked This topic is locked

#1
GlitcherX

GlitcherX

    New Member

  • Member
  • Pip
  • 7 posts
Whats up guys? This all started when i realized i had winstat. i went lookin for a resolution and found hijackthis. I was hopin somebody would be nice enough to take a look at my Hijackthislog for me and tell me what to delete to optomize my system. Dont wanna get rid of anything important. Thanks i really appreciate it.


Logfile of HijackThis v1.99.1
Scan saved at 9:00:11 PM, on 7/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\PhatNoise Media Manager\PNAgent.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\system32\MSDatsvr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Adam\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.26 merijn.org
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.48 spywareinfo.com
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.70 www.grisoft.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.80 www.merijn.org
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.88 www.pchell.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O1 - Hosts: 1 www.www2.browser
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CATLEvents Object - {13589181-4F0D-4553-B9F8-B4B72172C139} - C:\DOCUME~1\Leonard\LOCALS~1\Temp\src.dat (file missing)
O2 - BHO: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\WINDOWS\DOWNLO~1\gamebar.dll
O3 - Toolbar: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\WINDOWS\DOWNLO~1\gamebar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [libole] C:\WINDOWS\system\libole.exe
O4 - HKLM\..\Run: [*libole] C:\WINDOWS\system\libole.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [*utilsvc] C:\WINDOWS\system32\URTTemp\utilsvc.exe
O4 - HKLM\..\Run: [*faxhard] C:\WINDOWS\system\faxhard.exe
O4 - HKLM\..\Run: [*expweb] C:\WINDOWS\Driver Cache\expweb.exe
O4 - HKLM\..\Run: [*vbtcp] C:\WINDOWS\repair\vbtcp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PNAgent] "C:\Program Files\PhatNoise Media Manager\PNAgent.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LimeShop] wjview /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [xssg3pi] iomrsrc.exe
O4 - HKLM\..\Run: [AutoLoaderxF3G1dXeWRad] "C:\WINDOWS\system32\iomrsrc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gB3mRfGsh] sel_hp.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony...ct/VaioInfo.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by10fd.bay10....es/MsnPUpld.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one...ransferCtrl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49CCE9D0-6F79-47AC-B978-2BE74DADD552}: NameServer = 192.168.0.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: cbas - C:\DOCUME~1\Leonard\LOCALS~1\Temp\sabc.dat (file missing)
O20 - Winlogon Notify: cdns - C:\DOCUME~1\Leonard\LOCALS~1\Temp\sndc.dat (file missing)
O20 - Winlogon Notify: crs - C:\DOCUME~1\Leonard\LOCALS~1\Temp\src.dat (file missing)
O20 - Winlogon Notify: ipdisk - C:\DOCUME~1\Leonard\LOCALS~1\Temp\ksidpi.dat (file missing)
O20 - Winlogon Notify: kbtcp - C:\DOCUME~1\Leonard\LOCALS~1\Temp\pctbk.dat (file missing)
O20 - Winlogon Notify: webutil - C:\DOCUME~1\Leonard\LOCALS~1\Temp\litubew.dat (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



Thanks again.
  • 0

Advertisements


#2
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Hello and welcome to Geeks to Go! :tazz: I'm kool808 and I will be helping you today.

I am working on your log. As soon as I made a good fix for this, I will post a reply. Thank you for your patience.
  • 0

#3
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Download the Hoster http://www.funkytoad.com/download/hoster.zip
DO NOT run the program yet.

Unzip Host to your desktop

Open up the Host program folder then double-clicking Hoster.exe.
  • Make sure that the instruction found on the upper-right corner is labeled as the one shown below. Otherwise, if the label is RED click the button just right beside it to change the label and color back.

    "Your Host file is editable. Click button to right to make your Hosts file Read-only"

  • Click back-up Host files
  • then click Restore orginal host files
  • close the program.
  • Close all windows, open HijackThis then SCAN.
  • Post a NEW HijackThis Log.
  • Please tell me how your system is working now.

  • 0

#4
GlitcherX

GlitcherX

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks man I really appreciate your help. Let me know if theres anything else I should do. Thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 10:57:06 AM, on 7/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\PhatNoise Media Manager\PNAgent.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\system32\MSDatsvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\Documents and Settings\Adam\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CATLEvents Object - {13589181-4F0D-4553-B9F8-B4B72172C139} - C:\DOCUME~1\Leonard\LOCALS~1\Temp\src.dat (file missing)
O2 - BHO: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\WINDOWS\DOWNLO~1\gamebar.dll
O3 - Toolbar: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\WINDOWS\DOWNLO~1\gamebar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [libole] C:\WINDOWS\system\libole.exe
O4 - HKLM\..\Run: [*libole] C:\WINDOWS\system\libole.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [*utilsvc] C:\WINDOWS\system32\URTTemp\utilsvc.exe
O4 - HKLM\..\Run: [*faxhard] C:\WINDOWS\system\faxhard.exe
O4 - HKLM\..\Run: [*expweb] C:\WINDOWS\Driver Cache\expweb.exe
O4 - HKLM\..\Run: [*vbtcp] C:\WINDOWS\repair\vbtcp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PNAgent] "C:\Program Files\PhatNoise Media Manager\PNAgent.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LimeShop] wjview /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [xssg3pi] iomrsrc.exe
O4 - HKLM\..\Run: [AutoLoaderxF3G1dXeWRad] "C:\WINDOWS\system32\iomrsrc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gB3mRfGsh] sel_hp.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony...ct/VaioInfo.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by10fd.bay10....es/MsnPUpld.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one...ransferCtrl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49CCE9D0-6F79-47AC-B978-2BE74DADD552}: NameServer = 192.168.0.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: cbas - C:\DOCUME~1\Leonard\LOCALS~1\Temp\sabc.dat (file missing)
O20 - Winlogon Notify: cdns - C:\DOCUME~1\Leonard\LOCALS~1\Temp\sndc.dat (file missing)
O20 - Winlogon Notify: crs - C:\DOCUME~1\Leonard\LOCALS~1\Temp\src.dat (file missing)
O20 - Winlogon Notify: ipdisk - C:\DOCUME~1\Leonard\LOCALS~1\Temp\ksidpi.dat (file missing)
O20 - Winlogon Notify: kbtcp - C:\DOCUME~1\Leonard\LOCALS~1\Temp\pctbk.dat (file missing)
O20 - Winlogon Notify: webutil - C:\DOCUME~1\Leonard\LOCALS~1\Temp\litubew.dat (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  • 0

#5
GlitcherX

GlitcherX

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks man I really appreciate your help. Let me know if theres anything else I should do. Thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 10:57:06 AM, on 7/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\PhatNoise Media Manager\PNAgent.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\system32\MSDatsvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\Documents and Settings\Adam\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CATLEvents Object - {13589181-4F0D-4553-B9F8-B4B72172C139} - C:\DOCUME~1\Leonard\LOCALS~1\Temp\src.dat (file missing)
O2 - BHO: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\WINDOWS\DOWNLO~1\gamebar.dll
O3 - Toolbar: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\WINDOWS\DOWNLO~1\gamebar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [libole] C:\WINDOWS\system\libole.exe
O4 - HKLM\..\Run: [*libole] C:\WINDOWS\system\libole.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [*utilsvc] C:\WINDOWS\system32\URTTemp\utilsvc.exe
O4 - HKLM\..\Run: [*faxhard] C:\WINDOWS\system\faxhard.exe
O4 - HKLM\..\Run: [*expweb] C:\WINDOWS\Driver Cache\expweb.exe
O4 - HKLM\..\Run: [*vbtcp] C:\WINDOWS\repair\vbtcp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PNAgent] "C:\Program Files\PhatNoise Media Manager\PNAgent.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LimeShop] wjview /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [xssg3pi] iomrsrc.exe
O4 - HKLM\..\Run: [AutoLoaderxF3G1dXeWRad] "C:\WINDOWS\system32\iomrsrc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gB3mRfGsh] sel_hp.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony...ct/VaioInfo.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by10fd.bay10....es/MsnPUpld.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one...ransferCtrl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49CCE9D0-6F79-47AC-B978-2BE74DADD552}: NameServer = 192.168.0.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: cbas - C:\DOCUME~1\Leonard\LOCALS~1\Temp\sabc.dat (file missing)
O20 - Winlogon Notify: cdns - C:\DOCUME~1\Leonard\LOCALS~1\Temp\sndc.dat (file missing)
O20 - Winlogon Notify: crs - C:\DOCUME~1\Leonard\LOCALS~1\Temp\src.dat (file missing)
O20 - Winlogon Notify: ipdisk - C:\DOCUME~1\Leonard\LOCALS~1\Temp\ksidpi.dat (file missing)
O20 - Winlogon Notify: kbtcp - C:\DOCUME~1\Leonard\LOCALS~1\Temp\pctbk.dat (file missing)
O20 - Winlogon Notify: webutil - C:\DOCUME~1\Leonard\LOCALS~1\Temp\litubew.dat (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


[Sorry to barge in Kool, keep on with this topic.]
[GlitcherX, please keep all the posts in the thread you are being helped. Use the Add Reply - function!]

Edited by Rawe, 23 July 2005 - 11:28 AM.

  • 0

#6
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
++++++++++++++++++++++++++++++++++++++++++++

Please download the trial version of Ewido Security Suite 3.5 here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download and install Cleanup. Do NOT run it yet.

Reboot in SAFE MODE. (How to boot in Safe Mode...)
++++++++++++++++++++++++++++++++++++++++++++
  • Uninstallation
    We need to uninstall the following programs:
  • Go to Control Panel > Add/Remove Programs
  • Please locate if they exist
    • Lime Shop
  • Click Uninstall
  • Confirm with OK
++++++++++++++++++++++++++++++++++++++++++++
Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

O2 - BHO: CATLEvents Object - {13589181-4F0D-4553-B9F8-B4B72172C139} - C:\DOCUME~1\Leonard\LOCALS~1\Temp\src.dat (file missing)
O2 - BHO: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\WINDOWS\DOWNLO~1\gamebar.dll
O3 - Toolbar: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\WINDOWS\DOWNLO~1\gamebar.dll

O4 - HKLM\..\Run: [LimeShop] wjview /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - Global Startup: Image Transfer.lnk = ?

O20 - Winlogon Notify: cbas - C:\DOCUME~1\Leonard\LOCALS~1\Temp\sabc.dat (file missing)
O20 - Winlogon Notify: cdns - C:\DOCUME~1\Leonard\LOCALS~1\Temp\sndc.dat (file missing)
O20 - Winlogon Notify: crs - C:\DOCUME~1\Leonard\LOCALS~1\Temp\src.dat (file missing)
O20 - Winlogon Notify: ipdisk - C:\DOCUME~1\Leonard\LOCALS~1\Temp\ksidpi.dat (file missing)
O20 - Winlogon Notify: kbtcp - C:\DOCUME~1\Leonard\LOCALS~1\Temp\pctbk.dat (file missing)
O20 - Winlogon Notify: webutil - C:\DOCUME~1\Leonard\LOCALS~1\Temp\litubew.dat (file missing)


Make sure to double check the items you have selected, then click Fix Checked.

++++++++++++++++++++++++++++++++++++++++++++
Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

++++++++++++++++++++++++++++++++++++++++++++
Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • C:\WINDOWS\DOWNLO~1\gamebar.dll
  • C:\Program Files\LimeShop <-- whole folder
Finally, Empty Recycle Bin

++++++++++++++++++++++++++++++++++++++++++++
Now run CleanUp. When you click the Close button you will be prompted to reboot, agree to it.

Once in NORMAL MODE, have an On-line scan at this sites: Trend Micro or Panda Scan or BitDefender.
  • Close all windows, open HijackThis then SCAN.
  • Post a NEW HijackThis Log.
  • Post the report from Ewido.
  • Post the results from Panda Scan and Trend Micro.
  • Please tell me how your system is working now.

  • 0

#7
GlitcherX

GlitcherX

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Most recent Hijackthis Log -

Logfile of HijackThis v1.99.1
Scan saved at 9:44:05 PM, on 7/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Adam\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [libole] C:\WINDOWS\system\libole.exe
O4 - HKLM\..\Run: [*libole] C:\WINDOWS\system\libole.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [*utilsvc] C:\WINDOWS\system32\URTTemp\utilsvc.exe
O4 - HKLM\..\Run: [*faxhard] C:\WINDOWS\system\faxhard.exe
O4 - HKLM\..\Run: [*expweb] C:\WINDOWS\Driver Cache\expweb.exe
O4 - HKLM\..\Run: [*vbtcp] C:\WINDOWS\repair\vbtcp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PNAgent] "C:\Program Files\PhatNoise Media Manager\PNAgent.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [xssg3pi] iomrsrc.exe
O4 - HKLM\..\Run: [AutoLoaderxF3G1dXeWRad] "C:\WINDOWS\system32\iomrsrc.exe"
O4 - HKLM\..\Run: [LimeShop] wjview /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gB3mRfGsh] sel_hp.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\system32\BMUpdate.exe
O4 - HKCU\..\RunOnce: [MSDATSVR] C:\WINDOWS\system32\MSDatsvr.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony...ct/VaioInfo.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by10fd.bay10....es/MsnPUpld.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one...ransferCtrl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49CCE9D0-6F79-47AC-B978-2BE74DADD552}: NameServer = 192.168.0.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: cbas - C:\DOCUME~1\Leonard\LOCALS~1\Temp\sabc.dat (file missing)
O20 - Winlogon Notify: cdns - C:\DOCUME~1\Leonard\LOCALS~1\Temp\sndc.dat (file missing)
O20 - Winlogon Notify: crs - C:\DOCUME~1\Leonard\LOCALS~1\Temp\src.dat (file missing)
O20 - Winlogon Notify: ipdisk - C:\DOCUME~1\Leonard\LOCALS~1\Temp\ksidpi.dat (file missing)
O20 - Winlogon Notify: kbtcp - C:\DOCUME~1\Leonard\LOCALS~1\Temp\pctbk.dat (file missing)
O20 - Winlogon Notify: webutil - C:\DOCUME~1\Leonard\LOCALS~1\Temp\litubew.dat (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Most Recent Ewido log -

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:09:24 PM, 7/23/2005
+ Report-Checksum: CFB66DEF

+ Scan result:

C:\Program Files\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab/NHelper.dll -> Spyware.NavExcel : Error during cleaning
C:\Program Files\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab/NHUpdater.exe -> Spyware.NavExcel : Error during cleaning


::Report End




Trend Micro Scan results -



Results:
We have detected 3 infected file(s) with 4 virus(es) on your computer. Only 0 out of 0 infected files are displayed.
Detected File Associated Virus Name
C:\Documents and Settings\Adam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-7e0ba18d-6d47012e.zip
- VB.class JAVA_BYTEVER.B
- Dummy.class JAVA_BYTEVER.B
C:\WINDOWS\system32\dllcache\harddb.exe TROJ_VUNDO.A
C:\WINDOWS\Tasks\vbplay.exe TROJ_VUNDO.A



What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed.



What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 12 spyware(s) on your computer. Only 0 out of 0 spywares are displayed.
Spyware Name Spyware Type
COOKIE_442 Cookie
ADW_SHOPNAV.D Adware
ADW_BADBITOR.A Adware
ADW_GAMESPY.A Adware
SPYW_GAMEBAR.302 Spyware
SPYW_SOFTOMATE.A Spyware
ADW_WINCOMM.A Adware
ADW_SIDESEARCH.A Adware
ADW_SEARCHREL.E Adware
ADW_BLAZE.B Adware
ADW_WINAD.Q Adware
ADW_APROPOS.O Adware


What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 4 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix
Important This remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges. The malicious user or malware can execute code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.;The vulnerability is caused by an unchecked buffer in the Microsoft Office WordPerfect Converter. MS04-027
Critical This vulnerability lies in the way the affected components process JPEG image files. An unchecked buffer within this process is the cause of the vulnerability.;This remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges. The malicious user or malware can execute arbitrary code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes. MS04-028
Important This security advisory explains the two discovered vulnerabilities in Microsoft Word for Windows 6.0 Converter, which is used by WordPad in converting Word 6.0 to WordPad file format. Once exploited, this remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges. MS04-041
Critical A remote code execution vulnerability exists in MSN Messenger that could allow an attacker who successfully exploited this vulnerable to take complete control of the affected system. MS05-022


I have trend micro open at step 4(recover) please advise. The computer seems to be working a lot better but I still have one problem. Certain websites, especially financial ones like www.chase.com or www.ingdirect.com do not open, i just get the server not found message. Im pretty sure its spyware/virus related but then again im not an expert and I can see that my computer is still not close to being 100% clean. If you could keep helping me out that would be great. I really appreciate all your help this is a great website. Hope to hear from you soon.
I've enclosed an attachment of the warning window i get from my Ad-Aware pro when windows starts. Limeshop related. Thanks again.

Attached Thumbnails

  • limeshop.JPG

  • 0

#8
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
++++++++++++++++++++++++++++++++++++++++++++
Follow these steps to download and run the tool:

1. Download the FixVundo.exe
2. Save the file to a convenient location, such as your Windows desktop.
3. Close all the running programs.
4. If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
5. Locate the file that you just downloaded.
6. Double-click the FixVundo.exe file to start the removal tool.
7. Click Start to begin the process, and then allow the tool to run.

Important: Do not launch any new applications while the tool is running.

8. Restart the computer.
9. Run the removal tool again to ensure that the system is clean.

Please download [ Spybot Search & Destroy 1.4 ].

1. Install Spybot S&D, accepting the Default Settings
2. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.
3. Close ALL windows except Spybot S&D
4. Click the button to ‘Search for Updates’ then download and install the Updates.
5. Once the update is complete, do NOT run the scans yet.
6. Close Spybot S&D

Reboot in SAFE MODE. (How to boot in Safe Mode...)
++++++++++++++++++++++++++++++++++++++++++++
  • Uninstallation
    We need to uninstall the following programs:
  • Go to Control Panel > Add/Remove Programs
  • Please locate if they exist
    • NavExcel
    • LimeShop
    • LimeWire
  • Click Uninstall
  • Confirm with OK
++++++++++++++++++++++++++++++++++++++++++++
1. Open Spybot, next click the button ‘Check for Problems'
2. When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' Entries and ‘GREEN’ entries in the window
3. Make certain there is a check mark beside all of the RED entries ONLY.
4. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.

++++++++++++++++++++++++++++++++++++++++++++
Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

O4 - HKLM\..\Run: [libole] C:\WINDOWS\system\libole.exe
O4 - HKLM\..\Run: [*libole] C:\WINDOWS\system\libole.exe
O4 - HKLM\..\Run: [*utilsvc] C:\WINDOWS\system32\URTTemp\utilsvc.exe
O4 - HKLM\..\Run: [*faxhard] C:\WINDOWS\system\faxhard.exe
O4 - HKLM\..\Run: [*expweb] C:\WINDOWS\Driver Cache\expweb.exe
O4 - HKLM\..\Run: [*vbtcp] C:\WINDOWS\repair\vbtcp.exe
O4 - HKLM\..\Run: [xssg3pi] iomrsrc.exe
O4 - HKLM\..\Run: [LimeShop] wjview /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKCU\..\Run: [gB3mRfGsh] sel_hp.exe

O20 - Winlogon Notify: cbas - C:\DOCUME~1\Leonard\LOCALS~1\Temp\sabc.dat (file missing)
O20 - Winlogon Notify: cdns - C:\DOCUME~1\Leonard\LOCALS~1\Temp\sndc.dat (file missing)
O20 - Winlogon Notify: crs - C:\DOCUME~1\Leonard\LOCALS~1\Temp\src.dat (file missing)
O20 - Winlogon Notify: ipdisk - C:\DOCUME~1\Leonard\LOCALS~1\Temp\ksidpi.dat (file missing)
O20 - Winlogon Notify: kbtcp - C:\DOCUME~1\Leonard\LOCALS~1\Temp\pctbk.dat (file missing)
O20 - Winlogon Notify: webutil - C:\DOCUME~1\Leonard\LOCALS~1\Temp\litubew.dat (file missing)


Make sure to double check the items you have selected, then click Fix Checked.

++++++++++++++++++++++++++++++++++++++++++++
Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • C:\Program Files\NavExcel <-- whole folder
  • C:\Program Files\LimeShop <-- whole folder
  • C:\DOCUME~1\Leonard\LOCALS~1\Temp\sabc.dat
  • C:\WINDOWS\system\libole.exe
  • C:\WINDOWS\system32\URTTemp\utilsvc.exe
  • C:\WINDOWS\system\faxhard.exe
  • C:\WINDOWS\Driver Cache\expweb.exe
  • C:\WINDOWS\repair\vbtcp.exe
  • C:\WINDOWS\system32\iomrsrc.exe
  • C:\WINDOWS\system32\sel_hp.exe
Finally, Empty Recycle Bin

++++++++++++++++++++++++++++++++++++++++++++
Reboot back in NORMAL MODE.

Run FixVundo.exe removal tool again.

Have an On-line scan again: Trend Micro

To make sure it is perfectly clean let us have the final check.
  • Close all windows, open HijackThis then SCAN.
  • Post a NEW HijackThis Log.
  • Please tell me how your system is working now.

  • 0

#9
GlitcherX

GlitcherX

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ok so after doing my best to follow your instructions step by step heres what I got for you. Ad-Aware detects nothing on a full system scan, Ewido detected 75 last time I ran but they were all fixed (log included), FixVundo found and destroyed the virus, since then it hasnt found it again. Spybot search and destroy finds nothing. Im including my most recent hijackthis log, ewido log, and trend micro log. All most recent. For some reason though I still cant go to www.chase.com. Thanks for the help I hope your not sick of me yet lol.

Hijackthis log -

Logfile of HijackThis v1.99.1
Scan saved at 9:58:47 PM, on 7/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\PhatNoise Media Manager\PNAgent.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Adam\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PNAgent] "C:\Program Files\PhatNoise Media Manager\PNAgent.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony...ct/VaioInfo.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by10fd.bay10....es/MsnPUpld.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one...ransferCtrl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49CCE9D0-6F79-47AC-B978-2BE74DADD552}: NameServer = 192.168.0.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: cbas - C:\DOCUME~1\Leonard\LOCALS~1\Temp\sabc.dat (file missing)
O20 - Winlogon Notify: cdns - C:\DOCUME~1\Leonard\LOCALS~1\Temp\sndc.dat (file missing)
O20 - Winlogon Notify: crs - C:\DOCUME~1\Leonard\LOCALS~1\Temp\src.dat (file missing)
O20 - Winlogon Notify: ipdisk - C:\DOCUME~1\Leonard\LOCALS~1\Temp\ksidpi.dat (file missing)
O20 - Winlogon Notify: kbtcp - C:\DOCUME~1\Leonard\LOCALS~1\Temp\pctbk.dat (file missing)
O20 - Winlogon Notify: webutil - C:\DOCUME~1\Leonard\LOCALS~1\Temp\litubew.dat (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe




Ewido Log -

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:34:40 PM, 7/25/2005
+ Report-Checksum: 3218A013

+ Scan result:

HKU\S-1-5-21-1202660629-73586283-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} -> Spyware.Gamebar : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1003\Software\salm -> Spyware.180Solutions : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000000000240} -> Spyware.ClearSearch : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000250-0320-4DD4-BE4F-7566D2314352} -> Spyware.Transponder : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0000026A-8230-4DD4-BE4F-6889D1E74167} -> Spyware.Transponder : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000273-8230-4DD4-BE4F-6889D1E74167} -> Spyware.Transponder : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{000006B1-19B5-414A-849F-2A3C64AE6939} -> Spyware.VX2 : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{000020DD-C72E-4113-AF77-DD56626C6C42} -> Spyware.TwainTech : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0000607D-D204-42C7-8E46-216055BF9918} -> Spyware.TwainTech : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{000277A3-7D84-406A-9799-D12A81594693} -> Spyware.SearchFast : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00320615-B6C2-40A6-8F99-F1C52D674FAD} -> Spyware.Transponder : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0036F389-FEF8-43AC-9220-16430E0012ED} -> Spyware.NauPointBar : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} -> Spyware.PeopleOnPage : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0421701D-CF13-4E70-ADF0-45A953E7CB8B} -> Spyware.SmartPops : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0428FFC7-1931-45B7-95CB-3CBB919777E1} -> Spyware.KeenValue : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC} -> Spyware.MyWay : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{086CEFD5-A88D-4981-8915-D51F04360ED1} -> Spyware.TrafficHog : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{087173EF-9829-4F49-8340-A524177D3F60} -> Spyware.SearchandClick : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0AAF602E-72A1-45FE-BAB1-06971E07EAA2} -> Spyware.i-Lookup : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0AEE4D0C-4B38-4196-AE32-70ACE5656647} -> Spyware.TheSearchMall : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0C9CBFE1-91CD-40C2-BB64-1EC84C4C46AF} -> Spyware.i-Lookup : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10955232-B671-11D7-8066-0040F6F477E4} -> Spyware.Whazit : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{12DF6E3E-6272-4AE8-880B-2158D60791C0} -> Spyware.Winpage : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{139D88E5-C372-469D-B4C5-1FE00852AB9B} -> Spyware.FavoriteMan : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1678F7E1-C422-11D0-AD7D-00400515CAAA} -> Spyware.CometCursor : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18B79968-1A76-4953-9EBB-B651407F8998} -> Spyware.i-Lookup : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1B13BF1B-A528-4CC4-B5BF-553CAA6487AC} -> Spyware.i-Lookup : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1B7D753B-1981-4BD2-91F3-6D055EE113A0} -> Spyware.PurityScan : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} -> Spyware.ToolbarCC : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{269B6797-664E-48AA-B283-B012BDF6E525} -> Spyware.eUniverse : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{27A5FF76-9919-492C-98E3-EDA3502FC829} -> Spyware.MyPageFinder : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{467FAEB2-5F5B-4C81-BAE0-2A4752CA7F4E} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D568F0F-8AC9-40AB-88B7-415134C78777} -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} -> Spyware.SearchCentrix : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4} -> Spyware.404Search : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{53CBEE82-D747-11D3-9ED0-005004189684} -> Spyware.UCmore : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5D60FF48-95BE-4956-B4C6-6BB168A70310} -> Spyware.KeenValue : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5F1ABCDB-A875-46C1-8345-B72A4567E486} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{61D029AC-972B-49FE-A155-962DFA0A37BB} -> Spyware.i-Lookup : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{63CF97E8-4133-438A-A831-CC9C6D47D673} -> Spyware.FlashTrack : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{66993893-61B8-47DC-B10D-21E0C86DD9C8} -> Spyware.LinkReplacer : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{69550BE2-9A78-11D2-BA91-00600827878D} -> Spyware.TinyBar : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{707E6F76-9FFB-4920-A976-EA101271BC25} -> Spyware.CleverIEHooker : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{730F2451-A3FE-4A72-938C-FC8A74F15978} -> Spyware.iGetNet : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87766247-311C-43B4-8499-3D5FEC94A183} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8786386E-4B22-11D6-9C60-E5DA06D87378} -> Spyware.BandObjects : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{907CA0E5-CE84-11D6-9508-02608CDD2846} -> Spyware.SearchSquire : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9C5B2F29-1F46-4639-A6B4-828942301D3E} -> Spyware.123Mania : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A5483501-070C-41DD-AF44-9BD8864B3015} -> Spyware.Httper : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A6475E6B-3C2E-4B1F-82FD-8F1C0B1D8AD0} -> Spyware.CommonName : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} -> Spyware.BookedSpace : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A9A674BF-771F-42E5-A440-D20DDA85A862} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B8C0220D-763D-49A4-95F4-61DFDEC66EE6} -> Spyware.MediaUpdate : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BC97B254-B2B9-4D40-971D-78E0978F5F26} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD51AEC6-7991-4A60-94D6-D5FEBB655D10} -> Spyware.IETray : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} -> Spyware.AdRoar : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C900B400-CDFE-11D3-976A-00E02913A9E0} -> Spyware.Webhancer : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CBA523B2-1906-4D14-95A2-CD8E233701C7} -> Spyware.i-Lookup : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CC90CDA0-74A0-45B4-80EF-D89CA8C249B8} -> Spyware.Dashbar : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE7C3CF0-4B15-11D1-ABED-709549C10001} -> Spyware.IeMonit : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D44B5436-B3E4-4595-B0E9-106690E70A58} -> Spyware.LOP : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D5B72AED-E54A-11D6-B1B2-444553540000} -> Spyware.Whazit : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D879A0F1-2B3B-4409-8879-FAD6E49E1EA9} -> Spyware.Hijacker.Generic : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8EAEB34-F7B5-4C55-87FF-720FAF53D841} -> Spyware.MidAddle : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EB386233-65D7-46DC-A73D-0E02F2F844A9} -> Spyware.SpiderSearch : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EFD84954-6B46-42F4-81F3-94CE9A77052D} -> Spyware.RelatedLinks : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F0DC0CFE-D11A-489B-84C0-63748AFAABF3} -> Spyware.ZyncosMark : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F104576A-91BA-40AD-91DE-2C20801339AB} -> Spyware.KazaaMate : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FA79FA22-8DB3-43D1-997B-6DBFD8845569} -> Spyware.Meridian : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FAC6E0E1-5D45-4907-BC00-302D702DCC73} -> Spyware.AdRoar : Cleaned with backup
HKU\S-1-5-21-1202660629-73586283-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB2961FD-DD24-4F8A-8A92-6F9325FF6F11} -> Spyware.SupaSeek : Cleaned with backup
C:\Documents and Settings\Adam\Cookies\adam@ivwbox[2].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup


::Report End



Trend Micro -


Virus Scan 0 virus cleaned, 3 viruses deleted


Results:
We have detected 2 infected file(s) with 3 virus(es) on your computer. Only 0 out of 0 infected files are displayed: - 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 3 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken
C:\Documents and Settings\Adam\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-7e0ba18d-6d47012e.zip
- VB.class JAVA_BYTEVER.B Deletion successful
- Dummy.class JAVA_BYTEVER.B Deletion successful
C:\WINDOWS\Tasks\vbplay.exe TROJ_VUNDO.A Deletion successful




Trojan/Worm Check 0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed: - 0 worm(s)/Trojan(s) passed, 0 worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable
Trojan/Worm Name Trojan/Worm Type Action Taken




Spyware Check 0 spyware program removed

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 0 spyware(s) on your computer. Only 0 out of 0 spywares are displayed: - 0 spyware(s) passed, 0 spyware(s) no action available
- 0 spyware(s) removed, 0 spyware(s) unremovable
Spyware Name Spyware Type Action Taken




Microsoft Vulnerability Check No vulnerability detected

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 0 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix
  • 0

#10
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts

Dont worry my friend I am happy to help you. We love the jobs you hate!  :tazz:



Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

First we will need to download a few tools that will help us in the removal of your problem.

Please read the instructions for About:Buster then download it to a safe location where you can easily remember it.
Please Download the stand-alone version of CoolWebShredder
Download Cleanup.

Save all of these files somewhere you will remember like to the Desktop.

Run the CleanUp! installer. You dont need to do anything with it right now. Do NOT run it yet.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Reboot in SAFE MODE. (How to boot in Safe Mode...)
================================================
Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

O20 - Winlogon Notify: cbas - C:\DOCUME~1\Leonard\LOCALS~1\Temp\sabc.dat (file missing)
O20 - Winlogon Notify: cdns - C:\DOCUME~1\Leonard\LOCALS~1\Temp\sndc.dat (file missing)
O20 - Winlogon Notify: crs - C:\DOCUME~1\Leonard\LOCALS~1\Temp\src.dat (file missing)
O20 - Winlogon Notify: ipdisk - C:\DOCUME~1\Leonard\LOCALS~1\Temp\ksidpi.dat (file missing)
O20 - Winlogon Notify: kbtcp - C:\DOCUME~1\Leonard\LOCALS~1\Temp\pctbk.dat (file missing)
O20 - Winlogon Notify: webutil - C:\DOCUME~1\Leonard\LOCALS~1\Temp\litubew.dat (file missing)

Make sure to double check the items you have selected, then click Fix Checked.
================================================

Please run about:buster by RubbeRDuckY:
  • Click Begin Removal.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again

In the event you got error message on about:buster then do this:

Start > Run  then paste this in the dialog box

regsvr32 C:\Windows\System32\COMCTL32.OCX


Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files. Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky Online Scan or if that doesnt work, you can have an On-line scan at this sites:
Trend Micro or Panda Scan or BitDefender.
(Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

Good Luck!
  • 0

#11
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP