Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Not sure how to proceed [resolved] [RESOLVED]

Started by chessman , Aug 01 2005 08:08 AM

  • This topic is locked This topic is locked

#1
chessman
Posted 01 August 2005 - 08:08 AM

chessman

    New Member

  • Member
  • Pip
  • 7 posts
I have run the programs recommended on the You Must Read This Before Posting a Hijack Log. Browsers and other programs still periodically lose focus as instances of Internet Explorer launch themselves in the background and either produce an ad or an error message.

Logfile of HijackThis v1.99.1
Scan saved at 9:54:33 AM, on 8/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\sdiosvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Video Enhanced\MSNVE.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Gearbox Connection Kit\bin\gbConMon.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\Gearbox Connection Kit\bin\gbTask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CMAPP\Client\cmappclient.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:8080
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\System32\rxyrsbjh.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
O4 - HKLM\..\Run: [CeEKey.exe] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [_Cat4] C:\WINDOWS\msmsgr2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\BONESJ~1\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [vnktdll] C:\WINDOWS\vnktdll.EXE
O4 - HKLM\..\Run: [yqehenc] C:\WINDOWS\yqehenc.EXE
O4 - HKLM\..\Run: [MSN Video Enhanced] "C:\Program Files\MSN Video Enhanced\MSNVE.exe"
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32\lanbrup.exe
O4 - HKLM\..\Run: [386nk04c] C:\WINDOWS\System32\386nk04c.exe
O4 - HKLM\..\Run: [qdtfbjy] c:\windows\system32\zkeapkh.exe r
O4 - HKLM\..\Run: [venbdll] C:\WINDOWS\venbdll.exe
O4 - HKLM\..\Run: [venbenc] C:\WINDOWS\venbenc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [dayndll] C:\WINDOWS\dayndll.exe
O4 - HKLM\..\Run: [daynenc] C:\WINDOWS\daynenc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [uscadll] C:\WINDOWS\uscadll.exe
O4 - HKLM\..\Run: [uscaenc] C:\WINDOWS\uscaenc.exe
O4 - HKLM\..\Run: [skxedll] C:\WINDOWS\skxedll.exe
O4 - HKLM\..\Run: [skxeenc] C:\WINDOWS\skxeenc.exe
O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117038304808
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\sdiosvc.exe

Edited by coachwife6, 18 August 2005 - 05:02 AM.

  • 0

Advertisements

#2
Rawe
Posted 01 August 2005 - 08:15 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello and welcome. You have some really impressive collection there, so this will definately be few stepped process - don't expect to get your log clean in a second.

Let's get to your Coolwebsearch infection first;

Please print these instructions out, or write them down, as you can't read them during the fix.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp! Click CleanUp and allow it to delete all the temporary files. REBOOT!!

Please run an free online anti-virus scan; Kaspersky or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

- Rawe :tazz:
  • 0

#3
chessman
Posted 01 August 2005 - 10:54 AM

chessman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
A few surprises cropped up when I went through the procedure outlined above. To begine with, when I tried to open the summary reports, the operating system informed me that notepad.exe was missing from the root of C:\ which isn't where it was in the first place so I redirected the shortcut to C:\WINDOWS\ . As well, I need to boot up Internet Explorer in order to do an on-line scan from Trend Micro but Internet Explorer refused to initiate, at least until I exited all instances of Mozilla Firefox.

Log files:
About:Buster

AboutBuster 5.0 reference file 31
Scan started on [8/1/2005] at [10:36:27 AM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:37:00 AM


AboutBuster 5.0 reference file 31
Scan started on [8/1/2005] at [10:53:12 AM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:53:45 AM


AboutBuster 5.0 reference file 31
Scan started on [8/1/2005] at [10:57:08 AM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:57:44 AM

TREND MICRO - Antispyware

--------------------------------- Anti-Spyware session started ---------------------------------
Machine=BONES
Time=Mon Aug 01 09:11:14 2005
Product Version=3, 0, 1, 22
OS Version=Microsoft Windows XP Home Edition Service Pack 1 (Build 2600)

Started Scanning
Programs in Memory
Finished Scanning
IE Plugins: Found '{619D4638-8445-4420-AA07-C0B2C7DA6E3B}' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects'
Program Startup Areas: Found 'skxedll' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'skxeenc' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'sp' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Started Scanning
Internet Cookies
CoolWebSearch Variants (CWShredder)
CoolWebSearch Variants (CWShredder): Found 'CWS.HiddenDll' in ''
Programs in Memory
Windows Registry
Windows Registry: Found 'Search Bar' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Windows Registry: Found 'Search Bar' in 'S-1-5-21-1292428093-1580436667-854245398-1004\Software\Microsoft\Internet Explorer\Main'
Windows Registry: Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchAssistant Uninstall'
Windows Registry: Found '' in 'SOFTWARE\Classes\PROTOCOLS\Filter\text/html'
Windows Registry: Found '' in 'SOFTWARE\Classes\PROTOCOLS\Filter\text/plain'
Windows Registry: Found 'HOMEOldSP' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Windows Registry: Found 'sp' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Windows Registry: Found 'HOMEOldSP' in 'S-1-5-21-1292428093-1580436667-854245398-1004\Software\Microsoft\Internet Explorer\Main'
Windows Registry: Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT'
Windows Registry: Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Windows Registry: Found 'CLSID' in 'SOFTWARE\Classes\PROTOCOLS\Filter\text/html'
Windows Registry: Found 'Class' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Windows Registry: Found 'ClassGUID' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Windows Registry: Found 'ConfigFlags' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Windows Registry: Found 'DeviceDesc' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Windows Registry: Found 'Legacy' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Windows Registry: Found 'NextInstance' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT'
Windows Registry: Found 'Service' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Windows Registry: Found 'CLSID' in 'SOFTWARE\Classes\PROTOCOLS\Filter\text/plain'
Windows Registry: Found 'Search Bar' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Windows Registry: Found 'Search Bar' in 'S-1-5-21-1292428093-1580436667-854245398-1004\Software\Microsoft\Internet Explorer\Main'
Windows Registry: Found 'Search Bar' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Windows Registry: Found 'Search Bar' in 'S-1-5-21-1292428093-1580436667-854245398-1004\Software\Microsoft\Internet Explorer\Main'
Windows Registry: Found '' in 'PROTOCOLS\Filter\text/html'
Windows Registry: Found '' in 'PROTOCOLS\Filter\text/plain'
Windows Registry: Found 'sp' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for export/import. Error=5.
Finished Backup
Started Cleaning
CoolWebSearch Variants (CWShredder): Cleaned 'CWS.HiddenDll' in ''
Windows Registry: Cleaned 'Search Bar' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Windows Registry: Cleaned 'Search Bar' in 'S-1-5-21-1292428093-1580436667-854245398-1004\Software\Microsoft\Internet Explorer\Main'
Windows Registry: Cleaned '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchAssistant Uninstall'
Windows Registry: Cleaned '' in 'SOFTWARE\Classes\PROTOCOLS\Filter\text/html'
Windows Registry: Cleaned '' in 'SOFTWARE\Classes\PROTOCOLS\Filter\text/plain'
Windows Registry: Cleaned 'HOMEOldSP' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Windows Registry: Cleaned 'sp' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Windows Registry: Cleaned 'HOMEOldSP' in 'S-1-5-21-1292428093-1580436667-854245398-1004\Software\Microsoft\Internet Explorer\Main'
WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT'. Error=5.
WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'. Error=5.
Windows Registry: Cleaned 'Search Bar' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Windows Registry: Cleaned 'Search Bar' in 'S-1-5-21-1292428093-1580436667-854245398-1004\Software\Microsoft\Internet Explorer\Main'
Windows Registry: Cleaned 'Search Bar' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Windows Registry: Cleaned 'Search Bar' in 'S-1-5-21-1292428093-1580436667-854245398-1004\Software\Microsoft\Internet Explorer\Main'
Windows Registry: Cleaned '' in 'PROTOCOLS\Filter\text/html'
Windows Registry: Cleaned '' in 'PROTOCOLS\Filter\text/plain'
Unable to delete registry value 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sp'. Error=2.
Finished Cleaning
--------------------------------- Anti-Spyware session started ---------------------------------
Machine=BONES
Time=Mon Aug 01 09:22:54 2005
Product Version=3, 0, 1, 22
OS Version=Microsoft Windows XP Home Edition Service Pack 1 (Build 2600)

--------------------------------- Anti-Spyware session started ---------------------------------
Machine=BONES
Time=Mon Aug 01 09:22:54 2005
Product Version=3, 0, 1, 22
OS Version=Microsoft Windows XP Home Edition Service Pack 1 (Build 2600)

Started Scanning
Programs in Memory
Finished Scanning
Web Browser Security Settings: Found 'Search Bar' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Web Browser Security Settings: Found 'Search Bar' in 'SOFTWARE\Microsoft\Internet Explorer\Main'
Program Startup Areas: Found 'ivfedll' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Found 'ivfeenc' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Started Backup
Finished Backup
Started Cleaning
Program Startup Areas: Cleaned 'ivfedll' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Cleaned 'ivfeenc' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Finished Cleaning
--------------------------------- Anti-Spyware session started ---------------------------------
Machine=BONES
Time=Mon Aug 01 11:07:00 2005
Product Version=3, 0, 1, 22
OS Version=Microsoft Windows XP Home Edition Service Pack 1 (Build 2600)

Started Scanning
Programs in Memory
Finished Scanning
Program Startup Areas: Cleaned 'ivfedll' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Program Startup Areas: Cleaned 'ivfeenc' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
--------------------------------- Anti-Spyware session started ---------------------------------
Machine=BONES
Time=Mon Aug 01 11:33:08 2005
Product Version=3, 0, 1, 22
OS Version=Microsoft Windows XP Home Edition Service Pack 1 (Build 2600)

Started Scanning
Internet Cookies
CoolWebSearch Variants (CWShredder)
Programs in Memory
Windows Registry
Windows Registry: Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT'
Windows Registry: Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Windows Registry: Found 'Class' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Windows Registry: Found 'ClassGUID' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Windows Registry: Found 'ConfigFlags' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Windows Registry: Found 'DeviceDesc' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Windows Registry: Found 'Legacy' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Windows Registry: Found 'NextInstance' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT'
Windows Registry: Found 'Service' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT for export/import. Error=5.
Unable to access the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for export/import. Error=5.
Finished Backup
Started Cleaning
WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT'. Error=5.
WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'. Error=5.
Finished Cleaning


SPSeHjFix log results

(8/1/05 10:59:43 AM) SPSeHjFix started v1.1.2
(8/1/05 10:59:43 AM) OS: WinXP Service Pack 1 (5.1.2600)
(8/1/05 10:59:43 AM) Language: english
(8/1/05 10:59:43 AM) Win-Path: C:\WINDOWS
(8/1/05 10:59:43 AM) System-Path: C:\WINDOWS\System32
(8/1/05 10:59:43 AM) Temp-Path: C:\DOCUME~1\BONESJ~1\LOCALS~1\Temp\
(8/1/05 10:59:57 AM) Disinfection started
(8/1/05 10:59:57 AM) Bad-Dll(IEP): (not found)
(8/1/05 10:59:57 AM) Bad-Dll(IEP) in BHO: (not found)
(8/1/05 10:59:58 AM) UBF: 7 - UBB: 5 - UBR: 46
(8/1/05 10:59:58 AM) UBF: 7 - UBB: 5 - UBR: 46
(8/1/05 10:59:58 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(8/1/05 10:59:58 AM) Stealth-String not found
(8/1/05 10:59:58 AM) Not infected->END

HiJackThis log results:

Logfile of HijackThis v1.99.1
Scan saved at 12:32:35 PM, on 8/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\MSN Video Enhanced\MSNVE.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\sdiosvc.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Gearbox Connection Kit\bin\gbConMon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\CMAPP\Client\cmappclient.exe
C:\Program Files\Gearbox Connection Kit\bin\gbTask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:8080
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\System32\rxyrsbjh.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
O4 - HKLM\..\Run: [CeEKey.exe] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [_Cat4] C:\WINDOWS\msmsgr2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\BONESJ~1\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [vnktdll] C:\WINDOWS\vnktdll.EXE
O4 - HKLM\..\Run: [yqehenc] C:\WINDOWS\yqehenc.EXE
O4 - HKLM\..\Run: [MSN Video Enhanced] "C:\Program Files\MSN Video Enhanced\MSNVE.exe"
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32\lanbrup.exe
O4 - HKLM\..\Run: [386nk04c] C:\WINDOWS\System32\386nk04c.exe
O4 - HKLM\..\Run: [qdtfbjy] c:\windows\system32\zkeapkh.exe r
O4 - HKLM\..\Run: [venbdll] C:\WINDOWS\venbdll.exe
O4 - HKLM\..\Run: [venbenc] C:\WINDOWS\venbenc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [dayndll] C:\WINDOWS\dayndll.exe
O4 - HKLM\..\Run: [daynenc] C:\WINDOWS\daynenc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [uscadll] C:\WINDOWS\uscadll.exe
O4 - HKLM\..\Run: [uscaenc] C:\WINDOWS\uscaenc.exe
O4 - HKLM\..\Run: [skxedll] C:\WINDOWS\skxedll.exe
O4 - HKLM\..\Run: [skxeenc] C:\WINDOWS\skxeenc.exe
O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117038304808
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\sdiosvc.exe
  • 0

#4
Rawe
Posted 01 August 2005 - 11:11 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok, looking a little better. We will go this step by step.. I don't want to put massive instructions.

Please print these instructions out, or write them down, as you can't read them during the fix.

Uninstall any of the following programs you have from this list. (Except CleanUp!)
Go to Add/Remove programs and uninstall Ad-aware and Ewido Security Suite completely unless you have the latest version. Go to C:\Program Files\Lavasoft (And delete if present) then go to the location you have Ewido installed at and delete the folder. Empty recycle bin.

Download
CleanUp

Run the CleanUp! installer and get the program ready to be used but don't run it yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode..

Run an Full Scan with Ewido Security Suite and let ít remove anything it finds.

When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop.
Close Ewido.

Launch Ad-aware SE. Do a Full System Scan and let it remove anything it finds.

Now run CleanUp!
making sure to reboot when prompted.

Boot up into normal mode and run this online scan for me;
Panda Activescan Let it fix anything it can, and post the log to your next reply.

Post your Ewido & Panda log's here along with a fresh HiJackThis log.

- Rawe :tazz:
  • 0

#5
chessman
Posted 01 August 2005 - 01:44 PM

chessman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
EWIDO log file:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:22:26 PM, 8/1/2005
+ Report-Checksum: CCD27D19

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{38D4D5D0-423E-4220-B6F9-30918C2AE4A4} -> Spyware.BetterInternet : Cleaned with backup
:mozilla.16:C:\Documents and Settings\bonesjones\Application Data\Mozilla\Firefox\Profiles\s8c0ohxs.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\bonesjones\Cookies\bonesjones@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\WINDOWS\ivfeenc.exe -> TrojanDownloader.VB.hj : Cleaned with backup
C:\WINDOWS\system32\hz.sys -> Backdoor.Haxdoor : Cleaned with backup
C:\WINDOWS\system32\mszx23.exe -> Backdoor.Haxdoor.cn : Cleaned with backup
C:\WINDOWS\system32\vdmt16.sys -> Backdoor.Haxdoor : Cleaned with backup
C:\WINDOWS\system32\winlow.sys -> Backdoor.Haxdoor.cg : Cleaned with backup
C:\WINDOWS\system32\wz.sys -> Backdoor.Haxdoor.cg : Cleaned with backup


::Report End


Panda Activescan log file:


Incident Status Location

Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\CMAPP\Client\cmappmf.dll
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\$NtUninstallKB834707-IE6SP1-20040929.091901$\wininet.dll
Virus:Trj/Dropper.KR Disinfected C:\WINDOWS\sdiosvc.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\cilzgqs.exe
Virus:Bck/Haxdoor.AW Disinfected C:\WINDOWS\system32\cz.dll.tcf
Adware:Adware/SearchExe No disinfected C:\WINDOWS\system32\fbng.dll
Virus:Trj/Mitglieder.DF Disinfected C:\WINDOWS\system32\real32_.exe


Hijackthis log file:

Logfile of HijackThis v1.99.1
Scan saved at 3:33:19 PM, on 8/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Video Enhanced\MSNVE.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Gearbox Connection Kit\bin\gbConMon.exe
C:\Program Files\CMAPP\Client\cmappclient.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Program Files\Gearbox Connection Kit\bin\gbTask.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:8080
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\System32\rxyrsbjh.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
O4 - HKLM\..\Run: [CeEKey.exe] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [_Cat4] C:\WINDOWS\msmsgr2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\BONESJ~1\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [vnktdll] C:\WINDOWS\vnktdll.EXE
O4 - HKLM\..\Run: [yqehenc] C:\WINDOWS\yqehenc.EXE
O4 - HKLM\..\Run: [MSN Video Enhanced] "C:\Program Files\MSN Video Enhanced\MSNVE.exe"
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32\lanbrup.exe
O4 - HKLM\..\Run: [386nk04c] C:\WINDOWS\System32\386nk04c.exe
O4 - HKLM\..\Run: [qdtfbjy] c:\windows\system32\zkeapkh.exe r
O4 - HKLM\..\Run: [venbdll] C:\WINDOWS\venbdll.exe
O4 - HKLM\..\Run: [venbenc] C:\WINDOWS\venbenc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [dayndll] C:\WINDOWS\dayndll.exe
O4 - HKLM\..\Run: [daynenc] C:\WINDOWS\daynenc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [uscadll] C:\WINDOWS\uscadll.exe
O4 - HKLM\..\Run: [uscaenc] C:\WINDOWS\uscaenc.exe
O4 - HKLM\..\Run: [skxedll] C:\WINDOWS\skxedll.exe
O4 - HKLM\..\Run: [skxeenc] C:\WINDOWS\skxeenc.exe
O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117038304808
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\sdiosvc.exe (file missing)


BTW: I found out why Internet Explorer wasn't booting. Its homepage setting had been changed to that of a site on its banned list.
  • 0

#6
Rawe
Posted 02 August 2005 - 04:39 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Very possible.. You have badly infected machine but we'll get this fixed up.

Please print these instructions out, or write them down, as you can't read them during the fix.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files - option.

Download CleanUp!

Run the CleanUp! installer and get the program ready to be used but don't run it yet.

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Now do this;

Click Start => Run => and type in;

services.msc

Click "OK".

In the services window find service; Windows VisFx Components


Right-click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then "Ok". Exit the Services utility.
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Delete File on Reboot"
  • Navigate to this file - C:\WINDOWS\system32\fbng.dll
  • Double click on that file.
  • HJT asks you if you want to reboot, now. Click "no".
  • Do that for the following files also. When you get to the last one, click "yes" when HJT asks you to reboot.
C:\WINDOWS\system32\cilzgqs.exe
C:\WINDOWS\sdiosvc.exe
C:\WINDOWS\system32\real32_.exe
C:\WINDOWS\sdiosvc.exe

Next, please reboot your computer in Safe Mode by doing the following;

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Run a scan in HiJackThis and check the following objects for removal;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\System32\rxyrsbjh.dll
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [_Cat4] C:\WINDOWS\msmsgr2.exe
O4 - HKLM\..\Run: [vnktdll] C:\WINDOWS\vnktdll.EXE
O4 - HKLM\..\Run: [yqehenc] C:\WINDOWS\yqehenc.EXE
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32\lanbrup.exe
O4 - HKLM\..\Run: [386nk04c] C:\WINDOWS\System32\386nk04c.exe
O4 - HKLM\..\Run: [qdtfbjy] c:\windows\system32\zkeapkh.exe r {Has likely changed names - find an similar 04 entry which will always in in a single letter r}
O4 - HKLM\..\Run: [venbdll] C:\WINDOWS\venbdll.exe
O4 - HKLM\..\Run: [venbenc] C:\WINDOWS\venbenc.exe
O4 - HKLM\..\Run: [dayndll] C:\WINDOWS\dayndll.exe
O4 - HKLM\..\Run: [daynenc] C:\WINDOWS\daynenc.exe
O4 - HKLM\..\Run: [uscadll] C:\WINDOWS\uscadll.exe
O4 - HKLM\..\Run: [uscaenc] C:\WINDOWS\uscaenc.exe
O4 - HKLM\..\Run: [skxedll] C:\WINDOWS\skxedll.exe
O4 - HKLM\..\Run: [skxeenc] C:\WINDOWS\skxeenc.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\sdiosvc.exe (file missing)

Make sure they are checked (Also close ANY other open windows and/or open browsers). Hit "Fix Checked".

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Using Windows Explorer, locate the following files and delete if present;

C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\386nk04c.exe
C:\WINDOWS\venbdll.exe
C:\WINDOWS\venbenc.exe
C:\WINDOWS\dayndll.exe
C:\WINDOWS\daynenc.exe
C:\WINDOWS\uscadll.exe
C:\WINDOWS\uscaenc.exe
C:\WINDOWS\skxedll.exe
C:\WINDOWS\skxeenc.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\msmsgr2.exe
C:\WINDOWS\vnktdll.EXE
C:\WINDOWS\yqehenc.EXE
C:\WINDOWS\System32\lanbrup.exe
c:\windows\system32\zkeapkh.exe (Or whatever the name has changed to after the reboot.)
C:\WINDOWS\System32\386nk04c.exe
teekids.exe <= Locate using Windows Search function
C:\WINDOWS\svchost.exe
mservice.exe <= Locate using Windows Search function
iau.exe <= Locate using Windows Search function
stisvsq.exe <= Locate using Windows Search function
svshost.exe <= Locate using Windows Search function
msqdevl.exe <= Locate using Windows Search function
C:\WINDOWS\System32\rxyrsbjh.dll
C:\WINDOWS\AuroraHandler.dll
C:\WINDOWS\System32\svcpack.exe
mslaugh.exe <= Locate using Windows Search function

They has to be exactly in those places.. And they must be EXACTLY named like that. For EXAMPLE; Svchost.exe in System32 folder is legit, so do not delete it. Svchost.exe in C:\Windows - directory (not in System32 folder) is bad, delete it. If you're unsure of any of the files, PLEASE ask before proceeding the fix.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Run CleanUp!
and reboot. Boot up into normal mode.

Run Panda ActiveScan again and post the results. Run a new scan with HiJackThis and post the results..

- Rawe :tazz:
  • 0

#7
chessman
Posted 02 August 2005 - 10:46 AM

chessman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Panda Activescan report:

Incident Status Location

Adware:adware/pacimedia No disinfected C:\Documents and Settings\bonesjones\Favorites\1111\1111.url
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\CMAPP\Client\cmappmf.dll
Adware:adware/isearch No disinfected C:\WINDOWS\deskbar.ini
Adware:adware/aurora No disinfected C:\WINDOWS\svcproc.exe
Dialer:dialer.xc No disinfected C:\WINDOWS\system32\paydial.exe

Logfile of HijackThis v1.99.1
Scan saved at 12:38:54 PM, on 8/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Video Enhanced\MSNVE.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Gearbox Connection Kit\bin\gbConMon.exe
C:\Program Files\Gearbox Connection Kit\bin\gbTask.exe
C:\Program Files\CMAPP\Client\cmappclient.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
O4 - HKLM\..\Run: [CeEKey.exe] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\BONESJ~1\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [MSN Video Enhanced] "C:\Program Files\MSN Video Enhanced\MSNVE.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.pandasoftware.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117038304808
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#8
Rawe
Posted 02 August 2005 - 10:57 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hi again! Looks MUCH better now ;)
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Delete File on Reboot"
  • Navigate to this file - C:\WINDOWS\svcproc.exe
  • Double click on that file.
  • HJT asks you if you want to reboot, now. Click "no".
  • Do that for the following files also. When you get to the last one, click "yes" when HJT asks you to reboot.
C:\Program Files\CMAPP\Client\cmappmf.dll
C:\WINDOWS\system32\paydial.exe

Please reboot into Safe Mode;
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Run a scan with HiJackThis and check the following objects for removal if present;

O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\BONESJ~1\LOCALS~1\Temp\sysnet.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe

Make sure that they are checked (and make sure that only HijackThis is running) then hit "Fix Checked".


Locate the following files with Windows Explorer and delete if present;

C:\Documents and Settings\bonesjones\Favorites\1111\1111.url
C:\DOCUME~1\BONESJ~1\LOCALS~1\Temp\sysnet.exe
stisvsq.exe <= Locate using Windows Search- function

Run CleanUp!
making sure to reboot. Boot up into Safe Mode.

Do the following;

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directoy as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
    Disable SpySweeper Shields
    • Click Shields on the left.
    • Click Internet Explorer and uncheck all items.
    • Click Windows System and uncheck all items.
    • Click Startup Programs and uncheck all items.
  • Once the definitions are installed and shields disabled, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Post the SpySweeper session log here along with a fresh HiJackThis log.

- Rawe :tazz:
  • 0

#9
chessman
Posted 02 August 2005 - 12:22 PM

chessman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hello again. :tazz:

SpySweeper Session log:

********
2:02 PM: |··· Start of Session, Tuesday, August 02, 2005 ···|
2:02 PM: Spy Sweeper started
2:02 PM: Sweep initiated using definitions version 508
2:02 PM: Starting Memory Sweep
2:05 PM: Memory Sweep Complete, Elapsed Time: 00:03:29
2:05 PM: Starting Registry Sweep
2:06 PM: Found Adware: cas
2:06 PM: HKU\S-1-5-21-1292428093-1580436667-854245398-1004\software\cmapp\ (2 subtraces) (ID = 381792)
2:06 PM: Registry Sweep Complete, Elapsed Time:00:00:16
2:06 PM: Starting Cookie Sweep
2:06 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
2:06 PM: Starting File Sweep
2:06 PM: Warning: Failed to read file "c:\documents and settings\bonesjones\local settings\temp\perflib_perfdata_a68.dat". System Error. Code: 32.
The process cannot access the file because it is being used by another process
2:08 PM: File Sweep Complete, Elapsed Time: 00:02:33
2:08 PM: Full Sweep has completed. Elapsed time 00:06:25
2:08 PM: Traces Found: 3
2:08 PM: Removal process initiated
2:09 PM: Quarantining All Traces: cas
2:09 PM: Removal process completed. Elapsed time 00:00:10
********
1:45 PM: |··· Start of Session, Tuesday, August 02, 2005 ···|
1:45 PM: Spy Sweeper started
1:45 PM: Sweep initiated using definitions version 508
1:45 PM: Starting Memory Sweep
1:49 PM: Memory Sweep Complete, Elapsed Time: 00:03:24
1:49 PM: Starting Registry Sweep
1:49 PM: Found Adware: begin2search
1:49 PM: HKCR\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104124)
1:49 PM: HKCR\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104126)
1:49 PM: HKCR\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104127)
1:49 PM: HKCR\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104128)
1:49 PM: HKCR\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104139)
1:49 PM: HKCR\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104141)
1:49 PM: HKLM\software\classes\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104174)
1:49 PM: HKLM\software\classes\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104176)
1:49 PM: HKLM\software\classes\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104177)
1:49 PM: HKLM\software\classes\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104178)
1:49 PM: HKLM\software\classes\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104189)
1:49 PM: HKLM\software\classes\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104191)
1:49 PM: Found Adware: cas
1:49 PM: HKCR\clsid\{8293d547-38dd-4325-b35a-f1817edfa5fc}\ (11 subtraces) (ID = 105365)
1:49 PM: HKCR\typelib\{d4c89c18-b4f3-46a9-8800-e9e7a55afbd9}\ (9 subtraces) (ID = 105366)
1:49 PM: HKLM\software\classes\clsid\{8293d547-38dd-4325-b35a-f1817edfa5fc}\ (11 subtraces) (ID = 105368)
1:49 PM: HKLM\software\classes\typelib\{d4c89c18-b4f3-46a9-8800-e9e7a55afbd9}\ (9 subtraces) (ID = 105369)
1:49 PM: Found Adware: dialerplatform
1:49 PM: HKCR\bhomod.bhomodobj.1\ (3 subtraces) (ID = 125124)
1:49 PM: HKCR\bhomod.bhomodobj\ (5 subtraces) (ID = 125125)
1:49 PM: HKLM\software\classes\bhomod.bhomodobj.1\ (3 subtraces) (ID = 125136)
1:49 PM: HKLM\software\classes\bhomod.bhomodobj\ (5 subtraces) (ID = 125137)
1:49 PM: HKLM\software\ptssa\ (8 subtraces) (ID = 125166)
1:49 PM: Found Adware: isearch desktop search
1:49 PM: HKCR\mfiltis\ (3 subtraces) (ID = 129007)
1:49 PM: HKLM\software\classes\mfiltis\ (3 subtraces) (ID = 129010)
1:49 PM: HKLM\software\system updater\ (ID = 129016)
1:49 PM: Found Trojan Horse: mitglieder_trojan
1:49 PM: HKU\S-1-5-21-1292428093-1580436667-854245398-1004\software\datetime\ (3 subtraces) (ID = 135123)
1:49 PM: Found Adware: opensite
1:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\open site\ (2 subtraces) (ID = 136457)
1:49 PM: Found Adware: visfx
1:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\visfx\ (2 subtraces) (ID = 145734)
1:49 PM: HKLM\system\currentcontrolset\services\windows visfx components\ (12 subtraces) (ID = 145735)
1:49 PM: Found Adware: abetterinternet
1:49 PM: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {38d4d5d0-423e-4220-b6f9-30918c2ae4a4} (ID = 145941)
1:49 PM: HKCR\aurorahandlerdll.aurorahandlerdllobj\ (5 subtraces) (ID = 359578)
1:49 PM: HKCR\aurorahandlerdll.aurorahandlerdllobj.1\ (3 subtraces) (ID = 359584)
1:49 PM: HKLM\software\classes\aurorahandlerdll.aurorahandlerdllobj\ (5 subtraces) (ID = 359725)
1:49 PM: HKLM\software\classes\aurorahandlerdll.aurorahandlerdllobj.1\ (3 subtraces) (ID = 359731)
1:49 PM: HKLM\software\classes\typelib\{6d992911-b563-47fc-ab29-437f42d1c729}\ (9 subtraces) (ID = 359756)
1:49 PM: HKCR\aurorahandlerdll.aurorahandlerdllobj\ (5 subtraces) (ID = 360169)
1:49 PM: HKU\S-1-5-21-1292428093-1580436667-854245398-1004\software\aurorahandler\ (22 subtraces) (ID = 360172)
1:49 PM: HKU\S-1-5-21-1292428093-1580436667-854245398-1004\software\cmapp\ (12 subtraces) (ID = 381792)
1:49 PM: HKU\S-1-5-21-1292428093-1580436667-854245398-1004\software\microsoft\windows\currentversion\run\ || cmapp (ID = 381808)
1:49 PM: Found Trojan Horse: sysnet
1:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\sysnet\ (2 subtraces) (ID = 381857)
1:49 PM: HKCR\typelib\{6d992911-b563-47fc-ab29-437f42d1c729}\ (9 subtraces) (ID = 480791)
1:49 PM: HKU\S-1-5-21-1292428093-1580436667-854245398-1004\software\aurorahandler\ (22 subtraces) (ID = 480802)
1:49 PM: HKCR\main.mimefilter\ (5 subtraces) (ID = 498504)
1:49 PM: HKLM\software\classes\main.mimefilter\ (5 subtraces) (ID = 498516)
1:49 PM: HKCR\main.mimefilter\ (5 subtraces) (ID = 499294)
1:49 PM: HKLM\software\classes\main.mimefilter\ (5 subtraces) (ID = 499295)
1:49 PM: Registry Sweep Complete, Elapsed Time:00:00:19
1:49 PM: Starting Cookie Sweep
1:49 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
1:49 PM: Starting File Sweep
1:49 PM: c:\program files\asys (2 subtraces) (ID = -2147477847)
1:49 PM: c:\program files\cmapp (7 subtraces) (ID = -2147477896)
1:49 PM: c:\program files\epicenter (1 subtraces) (ID = -2147477846)
1:49 PM: c:\program files\open site (8 subtraces) (ID = -2147480518)
1:49 PM: c:\program files\mozilla firefox\extensions\{2bafa858-4ff3-4207-822e-ef46d1b431de} (4 subtraces) (ID = -2147480808)
1:50 PM: lyyaenc.exe (ID = 110131)
1:50 PM: Warning: Failed to read file "c:\documents and settings\bonesjones\local settings\temp\perflib_perfdata_a08.dat". System Error. Code: 32.
The process cannot access the file because it is being used by another process
1:50 PM: vfx8.0-1.exe (ID = 110122)
1:50 PM: ivfedll.exe (ID = 110130)
1:50 PM: stb.exe (ID = 110128)
1:50 PM: cmappstub.exe (ID = 110128)
1:51 PM: Found Trojan Horse: trojan downloader pops-stop
1:51 PM: installerv4.exe (ID = 122359)
1:52 PM: bingo_big31.ico (ID = 51022)
1:52 PM: Found Adware: shopathomeselect
1:52 PM: d57lr4a3.dat (ID = 121494)
1:52 PM: Found Trojan Horse: trojan-backdoor-haxdoor
1:52 PM: i.a3d (ID = 79874)
1:52 PM: Found Trojan Horse: trojan-downloader-bestcounter.biz
1:52 PM: tool2.exe (ID = 51071)
1:52 PM: sf.txt (ID = 110126)
1:52 PM: rf.txt (ID = 110125)
1:52 PM: hf.txt (ID = 110124)
1:52 PM: deskbar.ini (ID = 64321)
1:52 PM: uninstall (ID = 64345)
1:53 PM: File Sweep Complete, Elapsed Time: 00:03:22
1:53 PM: Full Sweep has completed. Elapsed time 00:07:12
1:53 PM: Traces Found: 389
1:53 PM: Removal process initiated
1:53 PM: Quarantining All Traces: begin2search
1:53 PM: Quarantining All Traces: cas
1:53 PM: cas is in use. It will be removed on reboot.
1:53 PM: c:\program files\cmapp is in use. It will be removed on reboot.
1:53 PM: Quarantining All Traces: dialerplatform
1:53 PM: Quarantining All Traces: isearch desktop search
1:53 PM: Quarantining All Traces: mitglieder_trojan
1:53 PM: Quarantining All Traces: opensite
1:53 PM: Quarantining All Traces: visfx
1:53 PM: Quarantining All Traces: abetterinternet
1:53 PM: Quarantining All Traces: sysnet
1:53 PM: Quarantining All Traces: trojan downloader pops-stop
1:53 PM: Quarantining All Traces: shopathomeselect
1:53 PM: Quarantining All Traces: trojan-backdoor-haxdoor
1:53 PM: Quarantining All Traces: trojan-downloader-bestcounter.biz
1:54 PM: Preparing to restart your computer. Please wait...
1:54 PM: Removal process completed. Elapsed time 00:01:07
********
1:44 PM: |··· Start of Session, Tuesday, August 02, 2005 ···|
1:44 PM: Spy Sweeper started
1:44 PM: Sweep initiated using definitions version 508
1:44 PM: Starting Memory Sweep
1:45 PM: Sweep Canceled
1:45 PM: Memory Sweep Complete, Elapsed Time: 00:01:05
1:45 PM: Traces Found: 0
1:45 PM: |··· End of Session, Tuesday, August 02, 2005 ···|
********
1:39 PM: |··· Start of Session, Tuesday, August 02, 2005 ···|
1:39 PM: Spy Sweeper started
1:39 PM: Messenger service has been disabled.
1:40 PM: Updating spyware definitions
1:40 PM: Your definitions are up to date.
1:44 PM: |··· End of Session, Tuesday, August 02, 2005 ···|

HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:13:36 PM, on 8/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Video Enhanced\MSNVE.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\Gearbox Connection Kit\bin\gbConMon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Gearbox Connection Kit\bin\gbTask.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
O4 - HKLM\..\Run: [CeEKey.exe] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSN Video Enhanced] "C:\Program Files\MSN Video Enhanced\MSNVE.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.pandasoftware.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117038304808
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#10
Rawe
Posted 02 August 2005 - 12:27 PM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Great job! :tazz:

Let's do a couple of things before we are finished :)

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

- Rawe ;)
  • 0

#11
chessman
Posted 02 August 2005 - 04:09 PM

chessman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Trend Micro - Antispyware log

Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Found 'Class' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Found 'ClassGUID' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Found 'ConfigFlags' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Found 'DeviceDesc' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Found 'Legacy' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Found 'NextInstance' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT'
Found 'Service' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'
Found '' in 'Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run'
Internet URL Shortcuts
Files and Directories
Found '' in 'C:\Documents and Settings\bonesjones\Start Menu\Programs\WinMX'
Finished Scanning
Started Backup
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT for restore. [SCANMODS] Error=5.
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000 for restore. [SCANMODS] Error=5.
Finished Backup
Started Cleaning
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT'. Error=5.
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\0000'. Error=5.
Checking for 'C:\Documents and Settings\bonesjones\Start Menu\Programs\WinMX' in shortcut areas.
Checking for 'C:\Documents and Settings\bonesjones\Start Menu\Programs\WinMX' in startup areas.
Cleaning 'C:\Documents and Settings\bonesjones\Start Menu\Programs\WinMX'
Finished Cleaning


During startup, this computer issues a few error messages, complaining that a module is missing. I'm guessing they are messages from remnants of programs that have been (mostly) uninstalled. I was wondering how to get rid of them as well. Also, should WinMX be uninstalled?
BTW, thanks much.
  • 0

#12
Rawe
Posted 03 August 2005 - 04:44 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
WinMX should be a clean program but be careful of what you're downloading.
Here's a good source of info for P2P progs;
http://www.spywarein...m/articles/p2p/

I'd like to see a fresh HiJackThis log to determine if your PC is clean now or not..

- Rawe :tazz:
  • 0

#13
chessman
Posted 03 August 2005 - 10:07 AM

chessman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Logfile of HijackThis v1.99.1
Scan saved at 12:04:08 PM, on 8/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\CePMTray.exe
C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Video Enhanced\MSNVE.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Gearbox Connection Kit\bin\gbConMon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Gearbox Connection Kit\bin\gbTask.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
O4 - HKLM\..\Run: [CeEKey.exe] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSN Video Enhanced] "C:\Program Files\MSN Video Enhanced\MSNVE.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.pandasoftware.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117038304808
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#14
Rawe
Posted 03 August 2005 - 10:21 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Yep it's clean, great job! ;)

Firstly;
you can uninstall most of the programs you needed during the process. (Except, I'd leave Ad-aware SE & CleanUp! for future use since they are user friendly and good programs)

Next, get Service Pack 2
here;
www.windowsupdate.com

Apply the update - reboot. Make sure you let it install... It's really good upgrade since it gives you more protection and little new features.

Also get any available critical updates from Windowsupdate after applying Sp2.

Let's clear out your restore points now.

Disable System Restore;

1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".

Reboot.

Enable System Restore;

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".

System Restore will now be active again. :) Be sure to set a new restore point, and if you need additional help with that, here's a link; http://filext.com/in...thread.php?t=27

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
  • Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)

- Rawe :tazz:

If you want to learn how to help people with malware problems like I helped you, feel free to take a look at this thread; http://www.geekstogo...here-t4817.html

And remember to keep all your software updated - you're good to go.
  • 0

#15
Metallica
Posted 18 August 2005 - 05:32 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP