Well done, Crustyoldbloke!
I appreciate your help very much. My computer is feeling very well again
When I did the scan with Ewido there were 29 security issues. Here's the log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 17:48:09, 05.08.2005
+ Report-Checksum: B86F4A8D
+ Scan result:
:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\auv4j3bv.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned without backup
:mozilla.14:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\auv4j3bv.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned without backup
:mozilla.21:C:\Documents and Settings\Administrator\Application Data\Netscape\NSB\Profiles\auv4j3bv.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned without backup
C:\Documents and Settings\Administrator\Cookies\
[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\Administrator\Cookies\
[email protected][2].txt -> Spyware.Cookie.Onestat : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned without backup
C:\Documents and Settings\All Users\Documents\stread.exe/somecent.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned without backup
C:\Documents and Settings\All Users\Documents\toget.exe/brokene.exe -> Backdoor.SdBot.abf : Cleaned without backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\K1YZSPAR\stread[1].exe/somecent.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned without backup
C:\WINNT\etb\nt_hide61.dll -> Spyware.EliteBar : Cleaned without backup
C:\WINNT\etb\nt_hide62.dll -> Spyware.EliteBar : Cleaned without backup
C:\WINNT\etb\pokapoka61.exe -> TrojanDropper.Agent.qz : Cleaned without backup
C:\WINNT\etb\pokapoka62.exe -> Spyware.EliteBar : Cleaned without backup
C:\WINNT\etb\xud2f.dll -> Spyware.EliteBar : Cleaned without backup
C:\WINNT\system32\beforei.exe/makeit.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned without backup
C:\WINNT\system32\cscientist.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned without backup
C:\WINNT\system32\osecx.exe/screwit.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned without backup
C:\WINNT\system32\righters.exe/samuriz.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned without backup
C:\WINNT\system32\rizamu.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned without backup
C:\WINNT\system32\samuriz.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned without backup
C:\WINNT\system32\series.exe/dingpong.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned without backup
C:\WINNT\system32\specific.exe/myself.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned without backup
C:\WINNT\system32\specific.exe/playme.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned without backup
C:\WINNT\system32\stread.exe/somecent.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned without backup
C:\WINNT\system32\toget.exe/brokene.exe -> Backdoor.SdBot.abf : Cleaned without backup
C:\WINNT\system32\wdss.exe/cdeayqe.exe -> TrojanProxy.Ranky.z : Cleaned without backup
C:\WINNT\system32\wdss.exe/cdytwaq.exe -> Backdoor.IRCBot.bq : Cleaned without backup
C:\WINNT\WindowsUpdate.log -> Backdoor.Digarix.b : Cleaned without backup
::Report End
Then I scanned with HijackThis and fixed the problems you said to fix (along with some other weird looking lines) I also used Killbox to delete cscientist.exe and rizamu.exe. The log before the scan and Killbox looked like this:
Logfile of HijackThis v1.99.1
Scan saved at 17:49:58, on 05.08.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://hsremove.com/done.htmR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://hsremove.com/done.htmO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation\avpcc.exe" /wait
O4 - HKLM\..\Run: [System service62] C:\WINNT\etb\pokapoka62.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Crnsava] scrnsave.pif
O4 - HKLM\..\Run: [MS-DOS Windows Service] MS-DOS.PIF
O4 - HKLM\..\Run: [Sxcasdwqas] C:\WINNT\SYSTEM32\rizamu.exe
O4 - HKLM\..\Run: [CalcScience] cscientist.exe
O4 - HKLM\..\RunServices: [Crnsava] scrnsave.pif
O4 - HKLM\..\RunServices: [MS-DOS Windows Service] MS-DOS.PIF
O4 - HKLM\..\RunServices: [CalcScience] cscientist.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Crnsava] scrnsave.pif
O4 - HKCU\..\Run: [MS-DOS Windows Service] MS-DOS.PIF
O4 - HKCU\..\Run: [HMI PowerSystem] hmisvc32.exe
O4 - HKCU\..\Run: [CalcScience] cscientist.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
http://www.bitdefend...can8/oscan8.cabO16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) -
http://lv.raad.tartu...activex/AMC.cabO16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) -
http://www.ravantivi...n/ravonline.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn...pDownloader.cabO23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation\avpcc.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation\avpm.exe" /service (file missing)
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\lotus\notes\ntmulti.exe
Now the HijackThis log looks like this:
Logfile of HijackThis v1.99.1
Scan saved at 18:17:31, on 05.08.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation\avpcc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation\avpm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\lotus\notes\ntmulti.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation\avpcc.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://hsremove.com/done.htmR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://hsremove.com/done.htmO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation\avpcc.exe" /wait
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [HMI PowerSystem] hmisvc32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
http://www.bitdefend...can8/oscan8.cabO16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) -
http://lv.raad.tartu...activex/AMC.cabO16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) -
http://www.ravantivi...n/ravonline.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn...pDownloader.cabO23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation\avpcc.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus for Workstation\avpm.exe" /service (file missing)
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\lotus\notes\ntmulti.exe
Thanks Crustyoldbloke! You're a legend!
Edited by osmanr, 05 August 2005 - 09:27 AM.