Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

New Ebay laptop....bad idea [CLOSED]


  • This topic is locked This topic is locked

#1
Steamhead

Steamhead

    Visiting Staff

  • Member
  • PipPipPip
  • 519 posts
Well my dad had the bright idea of getting a Dell laptop from Ebay...well...this thing is FILLED with malware...that's an understatment too...here's the HJT log...


--------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:39:53 PM, on 08/05/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
c:\winnt\system32\dlglfh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\winnt\system32\fqCu4x.exe
C:\winnt\system32\NLLaOoE.exe
C:\WINNT\system32\RUNDLL32.exe
C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
C:\WINNT\system32\NLLaOoE.exe
C:\WINNT\IEXPLOR.exe
C:\temp\salm.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan.exe
C:\Program Files\y5zm3uzf\y5zm3uzf.exe
C:\WINNT\system\mrujlf.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\y5zm3uzf\623016.exe
C:\Program Files\y5zm3uzf\y5zm3uzf1\y5zm3uzf1.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\y5zm3uzf\y5zm3uzf.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\saom\cnpa.exe
C:\WINNT\system32\??oolsv.exe
C:\WINNT\system32\msiexec.exe
C:\Documents and Settings\abc\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: (no name) - {00000000-0000-44A3-8741-4BC1A556C6CF} - C:\Program Files\y5zm3uzf\y5zm3uzf.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll
O2 - BHO: (no name) - {63678683-466F-4095-695D-4331B4C2A2C0} - C:\WINNT\system32\rcgria.dll
O2 - BHO: (no name) - {8E74EF78-20B8-2C4C-B858-7A22811348E5} - C:\WINNT\system32\sqhgbm.dll
O2 - BHO: (no name) - {A42DB544-73DB-7E7F-8F9A-73A2D9A16FB5} - C:\WINNT\system32\bket.dll (file missing)
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [fqCu4x] C:\winnt\system32\fqCu4x.exe
O4 - HKLM\..\Run: [NLLaOoE.exe] c:\winnt\system32\NLLaOoE.exe
O4 - HKLM\..\Run: [r3ni3pQ] sfcn50.exe
O4 - HKLM\..\Run: [vmss] C:\WINNT\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [103] "C:\Program Files\Defender Pro Anti Spam\admin" "-hide"
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitejka32.exe
O4 - HKLM\..\Run: [spgvgjgz] C:\WINNT\spgvgjgz.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe -onreboot
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [C:\WINNT\IEXPLOR.EXE] C:\WINNT\IEXPLOR.EXE
O4 - HKLM\..\Run: [AtxBrw] C:\WINNT\IEXPLOR.exe
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [nux] C:\WINNT\nux.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [y5zm3uzf] C:\Program Files\y5zm3uzf\y5zm3uzf.exe
O4 - HKLM\..\Run: [jmkwlv] c:\winnt\system32\dlglfh.exe r
O4 - HKCU\..\Run: [a04sRfc7O] sdpne.exe
O4 - HKCU\..\Run: [Gjzn] C:\WINNT\system32\??oolsv.exe
O4 - HKCU\..\Run: [Pere] C:\Program Files\saom\cnpa.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupd...ll/aun_0032.exe
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINNT\zeta.exe (file missing)
  • 0

Advertisements


#2
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Steamhead and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

:tazz:

Excal
  • 0

#3
Steamhead

Steamhead

    Visiting Staff

  • Topic Starter
  • Member
  • PipPipPip
  • 519 posts
Thanks so much! :tazz: I think I got most of it out, but I just want to make sure... I still get some errors when it starts up... ;)

Logfile of HijackThis v1.99.1
Scan saved at 1:58:36 AM, on 08/08/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\??oolsv.exe
C:\Program Files\saom\cnpa.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\system32\svchost.exe
C:\Documents and Settings\abc\Desktop\Malware Removal\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: {B5AB638F-D76C-415B-A8F2-F3CEAC502212} - - (no file)
O2 - BHO: (no name) - {00000000-0000-44A3-8741-4BC1A556C6CF} - C:\Program Files\y5zm3uzf\y5zm3uzf.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63678683-466F-4095-695D-4331B4C2A2C0} - C:\WINNT\system32\rcgria.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {8E74EF78-20B8-2C4C-B858-7A22811348E5} - C:\WINNT\system32\sqhgbm.dll
O2 - BHO: (no name) - {A42DB544-73DB-7E7F-8F9A-73A2D9A16FB5} - C:\WINNT\system32\bket.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [fqCu4x] C:\winnt\system32\fqCu4x.exe
O4 - HKLM\..\Run: [NLLaOoE.exe] c:\winnt\system32\NLLaOoE.exe
O4 - HKLM\..\Run: [r3ni3pQ] sfcn50.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [spgvgjgz] C:\WINNT\spgvgjgz.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe -onreboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [a04sRfc7O] sdpne.exe
O4 - HKCU\..\Run: [Gjzn] C:\WINNT\system32\??oolsv.exe
O4 - HKCU\..\Run: [Pere] C:\Program Files\saom\cnpa.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1091764151031
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupd...ll/aun_0032.exe
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

#4
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Can you do this while I write up your fix please.

Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINNT\system32\??oolsv.exe /a h > files.txt
notepad files.txt


Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log.
  • 0

#5
Steamhead

Steamhead

    Visiting Staff

  • Topic Starter
  • Member
  • PipPipPip
  • 519 posts
O.K. The findfile.bat results were

Volume in drive C has no label.
Volume Serial Number is 24EC-F608

Directory of C:\WINNT\system32

07/14/2003 07:00a 45,328 SPOOLSV.EXE
07/21/2005 08:57a 401,408 ??oolsv.exe
2 File(s) 446,736 bytes

Directory of C:\Documents and Settings\abc\Desktop

and a new HJT log is

Logfile of HijackThis v1.99.1
Scan saved at 2:13:14 AM, on 08/08/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\??oolsv.exe
C:\Program Files\saom\cnpa.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\abc\Desktop\Malware Removal\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: {B5AB638F-D76C-415B-A8F2-F3CEAC502212} - - (no file)
O2 - BHO: (no name) - {00000000-0000-44A3-8741-4BC1A556C6CF} - C:\Program Files\y5zm3uzf\y5zm3uzf.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63678683-466F-4095-695D-4331B4C2A2C0} - C:\WINNT\system32\rcgria.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {8E74EF78-20B8-2C4C-B858-7A22811348E5} - C:\WINNT\system32\sqhgbm.dll
O2 - BHO: (no name) - {A42DB544-73DB-7E7F-8F9A-73A2D9A16FB5} - C:\WINNT\system32\bket.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [fqCu4x] C:\winnt\system32\fqCu4x.exe
O4 - HKLM\..\Run: [NLLaOoE.exe] c:\winnt\system32\NLLaOoE.exe
O4 - HKLM\..\Run: [r3ni3pQ] sfcn50.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [spgvgjgz] C:\WINNT\spgvgjgz.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe -onreboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [a04sRfc7O] sdpne.exe
O4 - HKCU\..\Run: [Gjzn] C:\WINNT\system32\??oolsv.exe
O4 - HKCU\..\Run: [Pere] C:\Program Files\saom\cnpa.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1091764151031
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupd...ll/aun_0032.exe
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

#6
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
hi Steamhead,
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINNT\system32\spoolsv.exe
  • Click on the submit button
  • Please post the results in your next reply.

DOWNLOAD PROGRAMS


Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.


THE FIX


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Open up and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

5. Close all browsers, windows and unneeded programs.

6. Open HiJack and do a scan.

7. Put a Check next to the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: {B5AB638F-D76C-415B-A8F2-F3CEAC502212} - - (no file)
O2 - BHO: (no name) - {00000000-0000-44A3-8741-4BC1A556C6CF} - C:\Program Files\y5zm3uzf\y5zm3uzf.dll (file missing)
O2 - BHO: (no name) - {63678683-466F-4095-695D-4331B4C2A2C0} - C:\WINNT\system32\rcgria.dll (file missing)
O2 - BHO: (no name) - {8E74EF78-20B8-2C4C-B858-7A22811348E5} - C:\WINNT\system32\sqhgbm.dll
O2 - BHO: (no name) - {A42DB544-73DB-7E7F-8F9A-73A2D9A16FB5} - C:\WINNT\system32\bket.dll (file missing)
O4 - HKLM\..\Run: [fqCu4x] C:\winnt\system32\fqCu4x.exe
O4 - HKLM\..\Run: [NLLaOoE.exe] c:\winnt\system32\NLLaOoE.exe
O4 - HKLM\..\Run: [r3ni3pQ] sfcn50.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [spgvgjgz] C:\WINNT\spgvgjgz.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe -onreboot
O4 - HKCU\..\Run: [a04sRfc7O] sdpne.exe
O4 - HKCU\..\Run: [Gjzn] C:\WINNT\system32\??oolsv.exe
O4 - HKCU\..\Run: [Pere] C:\Program Files\saom\cnpa.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
1091764151031
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupd...ll/aun_0032.exe

The following are optionals that will free up resources, it does not delete them, only takes them out of startup:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


8. click the Fix Checked box

9. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

SpySpotter <====This program is considered not to be a trusted Spyware Program, Rogue SpywareList

10. Please remove the following folders using Windows Explorer (if present):

C:\Program Files\y5zm3uzf
C:\PROGRA~1\SpySpotter
C:\Program Files\saom


11. Please remove just the files from the following paths using Windows Explorer (if present):

C:\winnt\system32\fqCu4x.exe
c:\winnt\system32\NLLaOoE.exe
C:\WINNT\system32\exp.exe
C:\WINNT\spgvgjgz.exe
Start>Search for the following:
Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.
sfcn50.exe
AUNPS2.DLL
sdpne.exe


12. Run the program CleanUp!

13. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

14. Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#7
Steamhead

Steamhead

    Visiting Staff

  • Topic Starter
  • Member
  • PipPipPip
  • 519 posts
O.K. I am now running the ActiveScan....

The computer runs great, some of the errors on start up aren't coming anymore, but one still is..something about svchost has encountered an error and needs to close...

Here is the HJT log
----------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:13:14 AM, on 08/08/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\??oolsv.exe
C:\Program Files\saom\cnpa.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\abc\Desktop\Malware Removal\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: {B5AB638F-D76C-415B-A8F2-F3CEAC502212} - - (no file)
O2 - BHO: (no name) - {00000000-0000-44A3-8741-4BC1A556C6CF} - C:\Program Files\y5zm3uzf\y5zm3uzf.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63678683-466F-4095-695D-4331B4C2A2C0} - C:\WINNT\system32\rcgria.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {8E74EF78-20B8-2C4C-B858-7A22811348E5} - C:\WINNT\system32\sqhgbm.dll
O2 - BHO: (no name) - {A42DB544-73DB-7E7F-8F9A-73A2D9A16FB5} - C:\WINNT\system32\bket.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [fqCu4x] C:\winnt\system32\fqCu4x.exe
O4 - HKLM\..\Run: [NLLaOoE.exe] c:\winnt\system32\NLLaOoE.exe
O4 - HKLM\..\Run: [r3ni3pQ] sfcn50.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [spgvgjgz] C:\WINNT\spgvgjgz.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe -onreboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [a04sRfc7O] sdpne.exe
O4 - HKCU\..\Run: [Gjzn] C:\WINNT\system32\??oolsv.exe
O4 - HKCU\..\Run: [Pere] C:\Program Files\saom\cnpa.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1091764151031
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupd...ll/aun_0032.exe
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe




Here is the Ewido report (you didnt ask me to post it, just to save it, but here it is!)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:08:30 AM, 08/08/2004
+ Report-Checksum: 29D0D1C2

+ Scan result:

HKLM\SOFTWARE\Classes\actsetup.ActSetupObj -> Spyware.Odysseus : Cleaned with backup
HKLM\SOFTWARE\Classes\actsetup.ActSetupObj\CLSID -> Spyware.Odysseus : Cleaned with backup
HKLM\SOFTWARE\Classes\actsetup.ActSetupObj\CurVer -> Spyware.Odysseus : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{356639AA-E878-40FF-B2F8-E22FA87DF389} -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4278B4EB-8CC5-45E8-8AF4-43DFD0E9D250} -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4C42E5EB-3A9C-48E2-B2D0-59681B3DBB8C} -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Common.Buttons -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaPass.Installer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaPass.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaPass.Installer\CurVer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\SSaver.SaverObj -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\SSaver.SaverObj\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{3894347C-6C5A-444B-B49E-35473CB4D010} -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{5CF68A06-673D-4619-A805-C8FC9AC611DD} -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\skin -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-1343024091-854245398-1708537768-1000\Software\WinUpdt -> Spyware.SecondThought : Cleaned with backup
:mozilla.27:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.28:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.29:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.30:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.33:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.34:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.35:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.36:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.37:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.107:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.113:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.114:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.115:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.116:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.117:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.195:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
:mozilla.196:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
:mozilla.197:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
:mozilla.198:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
:mozilla.199:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
:mozilla.200:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
:mozilla.201:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
:mozilla.202:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
:mozilla.207:C:\Documents and Settings\abc\Application Data\Mozilla\Firefox\Profiles\nlfhtepj.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
C:\Documents and Settings\abc\Cookies\abc@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\abc\Cookies\abc@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\abc\Cookies\abc@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temp\!update.exe -> TrojanDownloader.PurityScan.y : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temp\467822.dll -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temp\Cookies\abc@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temp\cxtpls_loader.exe -> Spyware.AproposMedia : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temp\i33.tmp -> Spyware.SurfSide : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temp\mm_reco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temp\ms3A.tmp -> TrojanDownloader.QDown.j : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temp\msdioo.exe -> Trojan.Small.i : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temp\randreco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temp\rm05040901.Stub.exe -> Adware.eZula : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temp\rndrcus.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temp\SEPInst.exe -> Trojan.Septic.a : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temp\Temporary Internet Files\Content.IE5\GDI1YH45\newmajorse2[1].cab/newmajorse2.txt -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temp\vmstmp\vmstmp.exe -> Spyware.Delfin : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temporary Internet Files\Content.IE5\4DIAG1DD\!update-2134[1].0000 -> Spyware.PurityScan : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temporary Internet Files\Content.IE5\4DIAG1DD\aurora[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temporary Internet Files\Content.IE5\4DIAG1DD\banner[1].cab/banner.dll -> Spyware.Banex : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temporary Internet Files\Content.IE5\4DIAG1DD\inst4[1].exe -> TrojanDownloader.Small.bem : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temporary Internet Files\Content.IE5\4DIAG1DD\pcs_0009[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temporary Internet Files\Content.IE5\K3DETS8Z\mmviewer_101[1].cab/mmview_101.dll -> TrojanDownloader.Agent.cu : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temporary Internet Files\Content.IE5\L0H6PV4M\!update-2214[1].0000 -> TrojanDownloader.PurityScan.y : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temporary Internet Files\Content.IE5\M2CNUYY0\ActiveX[1].ocx -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temporary Internet Files\Content.IE5\PN0FWZ4K\abiuninst[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\abc\Local Settings\Temporary Internet Files\Content.IE5\ZPF03Y9K\pcs_0006[1].exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe -> Spyware.Searcher : Cleaned with backup
C:\Program Files\saom\cnpa.exe -> TrojanDownloader.PurityScan.y : Cleaned with backup
C:\WINNT\gzcdgw.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\Helper101.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINNT\imhlcjvklo.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\system32\Cache\adl_ibis_AS2.exe -> TrojanDownloader.Wintool.e : Cleaned with backup
C:\WINNT\system32\Cache\ezstub.exe -> Adware.eZula : Cleaned with backup
C:\WINNT\system32\Cache\MTE0MzA6ODoxMg.exe -> Spyware.iSearch : Cleaned with backup
C:\WINNT\system32\Cache\thin-8-3-x-x.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\system32\Cache\trgen_fran-162813.exe -> Spyware.HotSearchBar.d : Cleaned with backup
C:\WINNT\system32\msdioo.exe -> Trojan.Small.i : Cleaned with backup
C:\WINNT\system32\msnimk.gif -> Spyware.Ipend : Cleaned with backup
C:\WINNT\system32\sqhgbm.dll -> Spyware.PurityScan : Cleaned with backup


::Report End


The activescan isnt even halfway done so I thought Id give you these! Thanks a WWHHOOLLLLLEEE lot! :tazz:

Edited by Steamhead, 07 August 2005 - 02:43 AM.

  • 0

#8
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Did oyu have success with the file deletions? If so, there must be something protecting the HiJackthis entries.

Disable any spyware/antivirus protection you have for this:

OpenHijackthis and do a scan. Check off the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: {B5AB638F-D76C-415B-A8F2-F3CEAC502212} - - (no file)
O2 - BHO: (no name) - {00000000-0000-44A3-8741-4BC1A556C6CF} - C:\Program Files\y5zm3uzf\y5zm3uzf.dll (file missing)
O2 - BHO: (no name) - {63678683-466F-4095-695D-4331B4C2A2C0} - C:\WINNT\system32\rcgria.dll (file missing)
O2 - BHO: (no name) - {8E74EF78-20B8-2C4C-B858-7A22811348E5} - C:\WINNT\system32\sqhgbm.dll
O2 - BHO: (no name) - {A42DB544-73DB-7E7F-8F9A-73A2D9A16FB5} - C:\WINNT\system32\bket.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [fqCu4x] C:\winnt\system32\fqCu4x.exe
O4 - HKLM\..\Run: [NLLaOoE.exe] c:\winnt\system32\NLLaOoE.exe
O4 - HKLM\..\Run: [r3ni3pQ] sfcn50.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [spgvgjgz] C:\WINNT\spgvgjgz.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe -onreboot
O4 - HKCU\..\Run: [a04sRfc7O] sdpne.exe
O4 - HKCU\..\Run: [Gjzn] C:\WINNT\system32\??oolsv.exe
O4 - HKCU\..\Run: [Pere] C:\Program Files\saom\cnpa.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


Click FIX CHECKED, then reboot and post a fresh HiJackthis log.


Thanks,

:tazz:

Excal

Edited by Excal, 07 August 2005 - 02:48 AM.

  • 0

#9
Steamhead

Steamhead

    Visiting Staff

  • Topic Starter
  • Member
  • PipPipPip
  • 519 posts
:tazz: I think I gave you an old log....sorry! Here's the new one!

Logfile of HijackThis v1.99.1
Scan saved at 3:54:58 AM, on 08/08/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe <---------------------NOTE: this is the one that has an error message
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Documents and Settings\abc\Desktop\Malware Removal\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOLToolBand Class - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll


O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1091764151031
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusm...om/actsetup.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

;) :) :(
  • 0

#10
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Much Better :tazz:

You shouldn't be getting this error anymore : AUNPS2.DLL

What were the results on the jotti scan?


Thanks,


Excal
  • 0

Advertisements


#11
Steamhead

Steamhead

    Visiting Staff

  • Topic Starter
  • Member
  • PipPipPip
  • 519 posts
Oh yea it came back ok
  • 0

#12
Steamhead

Steamhead

    Visiting Staff

  • Topic Starter
  • Member
  • PipPipPip
  • 519 posts
OK ActiveScan is done



Incident Status Location

Spyware:spyware/surfsidekick No disinfected C:\Documents and Settings\abc\Application Data\Sskknwrd.dll
Adware:Adware/SearchTheWeb No disinfected C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
Adware:adware/delfinmedia No disinfected C:\keys.ini
Adware:adware/sidesearch No disinfected C:\WINNT\sepsd.bin
Adware:adware/searchtheweb No disinfected C:\WINNT\system32\Cache\mswinstall.exe
Spyware:Spyware/SurfSideKick No disinfected C:\WINNT\system32\Cache\SSK_B5 WMG Media - Rev Share 3.EXE
Adware:Adware/VirtualBouncer No disinfected C:\WINNT\system32\Cache\wrapperouter.exe
Adware:Adware/eZula No disinfected C:\WINNT\system32\ezPopStub.exe
Adware:adware/alwaysupdatednewsNo disinfected C:\WINNT\system32\Free LapTop Computer.ico
Spyware:Spyware/ClientMan No disinfected C:\WINNT\system32\mscgdc.dll
Spyware:Spyware/ClientMan No disinfected C:\WINNT\system32\msiaih.dll
Adware:Adware/Hotoffers No disinfected C:\WINNT\system32\msodae.dll
Adware:adware/hotoffers No disinfected C:\WINNT\system32\Party Poker.ico
Adware:Adware/ILookup No disinfected C:\WINNT\system32\rtneg.dll
Adware:Adware/PurityScan No disinfected C:\WINNT\system32\Shex.exe
Adware:adware/ezula No disinfected C:\WINNT\system32\sysfile.dll
Adware:adware/portalscan No disinfected C:\WINNT\system32\winupdt.008
Adware:Adware/PurityScan No disinfected C:\WINNT\system32\??oolsv.exe
  • 0

#13
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Boot into safe mode.

Please remove the following folders using Windows Explorer (if present):

C:\Documents and Settings\All Users\Application Data\msw

Please remove just the files from the following paths using Windows Explorer (if present):

C:\keys.ini
C:\WINNT\sepsd.bin
C:\WINNT\system32\Cache\mswinstall.exe
C:\WINNT\system32\Cache\SSK_B5 WMG Media - Rev Share 3.EXE
C:\WINNT\system32\Cache\wrapperouter.exe
C:\WINNT\system32\ezPopStub.exe
C:\WINNT\system32\Free LapTop Computer.ico
C:\WINNT\system32\mscgdc.dll
C:\WINNT\system32\msiaih.dll
C:\WINNT\system32\msodae.dll
C:\WINNT\system32\Party Poker.ico
C:\WINNT\system32\rtneg.dll
C:\WINNT\system32\Shex.exe
C:\WINNT\system32\sysfile.dll
C:\WINNT\system32\winupdt.008


You have two SPOOLSV.EXE files in your system32 folder. YOu want to delete the one that was created on 07/21/2005 and is 401,408 in size. Right click on it to verify this information. ENSURE that you have the right one.

Reboot and tell me if you get those errors.


Thanks,

:tazz:

Excal

Edited by Excal, 07 August 2005 - 03:28 AM.

  • 0

#14
Steamhead

Steamhead

    Visiting Staff

  • Topic Starter
  • Member
  • PipPipPip
  • 519 posts
I deleted all the files, but with the spoolsv.exe, I olny see one, created on 9/14/2004 .....
  • 0

#15
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Did you get the errors?

DO this one more time please

Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

dir C:\WINNT\system32\??oolsv.exe /a h > files.txt
notepad files.txt


Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP