Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Hijack This-log [RESOLVED]

Started by beans , Aug 06 2005 11:53 AM

This topic is locked

#1
beans

Posted 06 August 2005 - 11:53 AM

Member

Member
15 posts

My desktop background is all black and has a spyware warning that will not go away. I have tried all the steps in your "You must read this before posting a hijack this log". I have also updated my virus protection, I use Trend Micro, it finds the file but will not give me an option to delete it. The file is Windows\system32\mocih.exe, when I try to delete it myself it tells me that it can not be deleted because it is in use?? This happend when I forgot to turn on popup blocker and a young family member clicked on a popup!!

Here is my log from Ewido Security Suite

wido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:34:36 AM, 8/3/2005
+ Report-Checksum: 8665742B

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{69753829-779C-45e7-9D8C-C79CE0989246} -> Spyware.iSearch : Cleaned with backup
[3052] C:\WINDOWS\system32\VMElSys.dll -> Spyware.Hijacker.Generic : Error during cleaning
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0020466.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0021521.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0021570.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0021622.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0021678.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0021724.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0021786.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0021840.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0021892.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0021951.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0022007.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP103\A0022179.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP103\A0022228.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP103\A0022282.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP104\A0022426.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0011481.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0011536.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0011592.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0011644.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0011692.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0011745.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0011802.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0011850.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP79\A0011909.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP81\A0012086.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP83\A0012328.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP84\A0012434.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\A0012500.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\A0012554.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\A0012605.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\A0012660.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\A0012709.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\A0012743.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\A0012774.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\A0012812.exe -> TrojanDownloader.Agent.fw : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP88\A0012873.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP90\A0015259.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP91\A0015296.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP91\A0015332.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP93\A0017470.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP93\A0017518.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP93\A0017578.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP93\A0018575.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP93\A0018610.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP95\A0018691.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP95\A0018731.exe -> TrojanDownloader.Agent.fw : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP95\A0018734.exe -> TrojanDownloader.Agent.fw : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0018769.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0018803.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0018837.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0018894.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0018943.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP97\A0018979.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP97\A0019943.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP97\A0019988.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP97\A0020032.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP97\A0020070.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP97\A0020114.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP98\A0020157.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP98\A0020226.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP99\A0020357.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP99\A0020410.dll -> Spyware.Xawm : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\exe -> TrojanDownloader.Agent.fw : Cleaned with backup
C:\WINDOWS\SYSTEM32\532dsld.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\6TETRODLL.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\AAAsfer.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\AAMaam.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\aamDial.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\AAMDMP.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\AAMILCFG.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\AAMOSYCck.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\ACCdsm.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\ACCTRAC.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\acluctiv.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\ads3duaAPI.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\AMap3d1a.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\amd5RX.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\amdsldETE.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\atdosce.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\atmidiAPE.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\atscoOM.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\CAP3SMDFVI.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\CAPR32CIA.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\CDFMPDIN.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\CLUEDADVP.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\ctiUT.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\CTRACEiosr.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\CTRECAP.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\CTRNPNATSR.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\CTRrypt.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\CTsrvGH.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\d5im7ENG.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\d5TMbken.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\DITtl70.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\DMPAACK.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\DSLRORMF.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\DSMSTRS.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\dvpati2c.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\eamPTDL.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\eamVIC.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\EDITLM.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\edsAP.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\FIL3ABI.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\I3IAL3.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\i3TCOMPO.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\ILEBIDI.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\KCTAUTHbo.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\KCTRBK.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldpspNPN.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldpUTOVM.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldWAVatt.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\liceuid.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\LRKCTMISC.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\LRSCIOD.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\md53TRE.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\MONSYC.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\MSED3D.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\msLMFne.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\mxthzdmim.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\mxTRghel.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\NCLPCbthc.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\NVdlhusd.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\O4SSERL32.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\o4svvvax.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\O4SWSERES.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\ODISCA.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\PABKENlbca.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\PARDMIN.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\PCatlTML.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\PCSKMOEV.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\REDITDVP.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\ROAPmban.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\RSEMFD.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\RSESN.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\rxyerril.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\sesrhsanui.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\SRAMatsr.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\srBGEN.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\srpcsrv32.dll -> Spyware.Xawm : Cleaned with backup
C:\WINDOWS\SYSTEM32\svDANCLENG.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\thCFGN.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\thkoad.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\THMGRESKP.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\THOLEPTEX.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\ti3rx3.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\TIFPCP32.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\tl7SPRES.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\tlatme.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\TMCVI168.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\tmliios.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\tmp.exe -> Spyware.Perez.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\txfdb32.dll -> Spyware.Xawm : Cleaned with backup
C:\WINDOWS\SYSTEM32\UDITHZatq.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\USAPCI.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\VIESNPodm.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\viioNFM.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\VMEATTCMSM.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\VPACSVC.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\VTAbthstcl.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\VTAsrv.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\vutCAP.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\xprxvpsops.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__VMElSys.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\telnet.exe -> TrojanDownloader.Agent.fw : Cleaned with backup

::Report End

Here is my Hijack this Log

Logfile of HijackThis v1.99.1
Scan saved at 1:31:49 AM, on 8/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\msdtc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\vssvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\xpsp2fw.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Documents and Settings\Rene\Local Settings\Temporary Internet Files\Content.IE5\1JHY8HB8\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2&b=test
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nonstopsearch.com/?a=2&b=test
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nonstopsearch.com/?b=test
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nonstopsearch.com/?a=2&b=test
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nonstopsearch.com/?a=2&b=test
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2&b=test
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {44671FC4-084A-D5AB-53E2-CE57DED3E534} - C:\WINDOWS\system32\PCUPDMI.exe (file missing)
O2 - BHO: (no name) - {3C8A6204-B469-7890-D052-615504857C1C} - C:\WINDOWS\System32\cnth.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8763AA3-20AF-41E2-9EC7-37C4B2814BB0}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Provides five management service (NetBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Thank you for your help

#2
Rawe

Posted 09 August 2005 - 04:02 AM

Visiting Staff

Member
4,746 posts

Hello and welcome to GtG!

I'm really sorry about the wait and late reply. This forum is really busy..
Do you still need help with your problem or have you gotten help elsewhere.
It has been a while since you posted the log - if you still need help, I will need a fresh HijackThis logfile. Let me know if you don't need help anymore.

Again, sorry for the late reply.

- Rawe :tazz:

#3
beans

Posted 10 August 2005 - 08:29 AM

Member

Topic Starter
Member
15 posts

Thank you, yes I still need help, I understand that this board is very busy, I appreciate the fact that there are people like you willing to help on their own time.

Thanks again
Beans

#4
Rawe

Posted 10 August 2005 - 08:58 AM

Visiting Staff

Member
4,746 posts

Thanks for your understanding!

Ok, since you still need help, can you post a fresh log from HiJackThis and we'll get started. It's because the infection has undoubtly changed after Aug 6th..

- Rawe :tazz:

#5
beans

Posted 10 August 2005 - 09:55 AM

Member

Topic Starter
Member
15 posts

I will as soon as I get home, I am at work right now, and nobody at home will know what to do.

Thanks Again

#6
beans

Posted 11 August 2005 - 04:46 PM

Member

Topic Starter
Member
15 posts

Sorry it took me so long to get this done.

Here is my new Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 6:35:03 AM, on 8/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\msdtc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\vssvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\xpsp2fw.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Documents and Settings\Rene\Local Settings\Temporary Internet Files\Content.IE5\CDU1O7EF\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2&b=test
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nonstopsearch.com/?a=2&b=test
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nonstopsearch.com/?b=test
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nonstopsearch.com/?a=2&b=test
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nonstopsearch.com/?a=2&b=test
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2&b=test
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {44671FC4-084A-D5AB-53E2-CE57DED3E534} - C:\WINDOWS\system32\PCUPDMI.exe (file missing)
O2 - BHO: (no name) - {3C8A6204-B469-7890-D052-615504857C1C} - C:\WINDOWS\System32\cnth.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8763AA3-20AF-41E2-9EC7-37C4B2814BB0}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Provides five management service (NetBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

#7
Rawe

Posted 12 August 2005 - 02:50 AM

Visiting Staff

Member
4,746 posts

Ok, can you do these steps;

1- Quickly check your Windows Updates. I see you have Sp2, can you check your critical updates condition. If there is any available, install them and reboot. If not, let it be.

2- If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run the scan quite yet.

3- Launch Ad-Aware SE and click on the gear to access the Configuration menu. Please make sure that this setting is applied;

Click on Tweak => Cleaning engine => UNcheck "Always try to unload modules before deletion". Click on "Finish". Do a Full System Scan, and remove all it finds.

4- Click "Start", Run and type in; MRT
Click "Ok". When a window pops up, click "Next". Let it scan and let me know of the results.

5- Reboot when done and post me a fresh HiJackThis log.

- Rawe :tazz:

#8
beans

Posted 12 August 2005 - 06:42 AM

Member

Topic Starter
Member
15 posts

I tried to check my Windows updates before I left for work this morning, and it said the program could not run because I did not have automatic updates turned on. I have to say that bothers me, I didn't know automatic updates could be turned off, I tried to find where to go to turn them on but couldn't and I needed to leave for work.

When I get home I will find how to turn them on, and complete the steps you have given to me, I will post a new hijack this log for you tonight.

Thanks again for your help

#9
Rawe

Posted 12 August 2005 - 09:03 AM

Visiting Staff

Member
4,746 posts

Click Start -> Control Panel -> Microsoft Security Center (or might be only Security Center, am translating from finnish). Click "Automatic Updates" and put the settings you want. Click Apply - Ok.

Then click Start -> Windowsupdate and install any available critical updates.

- Rawe :tazz:

#10
beans

Posted 13 August 2005 - 03:42 PM

Member

Topic Starter
Member
15 posts

I ran the Windows updates and I ran Ad-Aware, when I ran the MRT I received the message "No Malicious Software found"

Here is my new Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 5:25:02 AM, on 8/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\msdtc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\vssvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\xpsp2fw.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Documents and Settings\Rene\Local Settings\Temporary Internet Files\Content.IE5\1JHY8HB8\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2&b=test
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nonstopsearch.com/?a=2&b=test
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nonstopsearch.com/?b=test
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nonstopsearch.com/?a=2&b=test
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nonstopsearch.com/?a=2&b=test
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2&b=test
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {44671FC4-084A-D5AB-53E2-CE57DED3E534} - C:\WINDOWS\system32\PCUPDMI.exe (file missing)
O2 - BHO: (no name) - {3C8A6204-B469-7890-D052-615504857C1C} - C:\WINDOWS\System32\cnth.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8763AA3-20AF-41E2-9EC7-37C4B2814BB0}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Provides five management service (NetBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

#11
Rawe

Posted 13 August 2005 - 03:45 PM

Visiting Staff

Member
4,746 posts

Before jumping into the process.. Can you tell me what problems you have at the moment? :tazz:

#12
beans

Posted 13 August 2005 - 05:52 PM

Member

Topic Starter
Member
15 posts

The only problem I seem to have is that my desktop background is black with the following warning: Warning your in Danger...then there is a very long message about spyware, then at the bottom of the message it says Secure yourself right now remove all spyware from your PC, at the very bottom it has "removal instrucitons"

This is, what I was told, what the pop-up looked like that my family member clicked on while playing on the net. My computer will not let me change the back ground and when PC Cillin finds the file, but my computer will not let me delete it because "its being used by another program"

Thanks
Beans

#13
Rawe

Posted 14 August 2005 - 06:36 AM

Visiting Staff

Member
4,746 posts

Sounds like Smitfraud.. Even though I can't see many signs of it on the log.

Ok, let's start;

Please print these instructions out, or write them down, as you can't read them during the fix.

Download smitRem.exe and save the file to your desktop.
Double-click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Download CleanUp!

Run the CleanUp! installer and get the program ready to be used but don't run it yet.

Next, please reboot your computer in Safe Mode by doing the following;

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
===================================================
Run a scan with HiJackThis and check the following objects for removal;

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2&b=test
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nonstopsearch.com/?a=2&b=test
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nonstopsearch.com/?b=test
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nonstopsearch.com/?a=2&b=test
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nonstopsearch.com/?a=2&b=test
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2&b=test
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {44671FC4-084A-D5AB-53E2-CE57DED3E534} - C:\WINDOWS\system32\PCUPDMI.exe (file missing)
O2 - BHO: (no name) - {3C8A6204-B469-7890-D052-615504857C1C} - C:\WINDOWS\System32\cnth.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe

Close any other open windows and/or open browsers, making sure that only HiJackThis is running. Make sure that the above mentioned objects are all checked, then hit "Fix Checked".
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a Full System Scan. Remove all it finds.

Run Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
Clean anything it finds.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop

Close Ewido.

Using Windows Explorer (Not Search, it wouldn't work), locate the following files and delete if present;

C:\WINDOWS\system32\PCUPDMI.exe
C:\WINDOWS\System32\cnth.dll
C:\WINDOWS\system32\ntnut.exe
C:\WINDOWS\system32\xpsp2fw.exe
C:\WINDOWS\system32\wuclient.exe

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.
Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp

Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
When CleanUp starts go to the Options button (right side of CleanUp screen)
Move the arrow down to "Custom CleanUp!"
Now place a checkmark next to the following (Make sure nothing else is checked!):
- Delete Cookies
  This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
- Empty Recycle Bins
- Delete Prefetch files
- Cleanup! All Users
Click OK
Then click on the CleanUp button. This will take a short while, let it do its thing.
When asked to reboot system select No
Close CleanUp

Boot up into normal mode and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.

Let me know how's it running now.

- Rawe :tazz:

#14
beans

Posted 14 August 2005 - 02:59 PM

Member

Topic Starter
Member
15 posts

It is almost 5pm here, and I have been working on the steps you gave me since 9am, and my desktop background is still the same.

I had a lot of problems with Panda Active scan, I couldn't get the shortcut to download onto my desktop, so I ran the scan while online. Also, when in safemode the Hijack This log was missing 5 of the objects you told me to remove.

My current virus software is telling me I need to update, I havn't done this yet I wanted to make sure it was OK and was not going to hurt anything you are helping me with.

Here are my new logs:

Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:31:49 AM, on 8/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\msdtc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\vssvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\xpsp2fw.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Documents and Settings\Rene\Local Settings\Temporary Internet Files\Content.IE5\1JHY8HB8\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2&b=test
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nonstopsearch.com/?a=2&b=test
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nonstopsearch.com/?b=test
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nonstopsearch.com/?a=2&b=test
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nonstopsearch.com/?a=2&b=test
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2&b=test
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2&b=test
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {44671FC4-084A-D5AB-53E2-CE57DED3E534} - C:\WINDOWS\system32\PCUPDMI.exe (file missing)
O2 - BHO: (no name) - {3C8A6204-B469-7890-D052-615504857C1C} - C:\WINDOWS\System32\cnth.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8763AA3-20AF-41E2-9EC7-37C4B2814BB0}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Provides five management service (NetBSD) - Unknown owner - C:\WINDOWS\System32\dev32.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:34:36 AM, 8/3/2005
+ Report-Checksum: 8665742B

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{69753829-779C-45e7-9D8C-C79CE0989246} -> Spyware.iSearch : Cleaned with backup
[3052] C:\WINDOWS\system32\VMElSys.dll -> Spyware.Hijacker.Generic : Error during cleaning
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0020466.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0021521.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0021570.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0021622.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0021678.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0021724.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0021786.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0021840.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0021892.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0021951.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP100\A0022007.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP103\A0022179.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP103\A0022228.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP103\A0022282.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP104\A0022426.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0011481.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0011536.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0011592.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0011644.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0011692.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0011745.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0011802.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP78\A0011850.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP79\A0011909.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP81\A0012086.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP83\A0012328.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP84\A0012434.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\A0012500.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\A0012554.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\A0012605.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\A0012660.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\A0012709.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\A0012743.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\A0012774.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\A0012812.exe -> TrojanDownloader.Agent.fw : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP88\A0012873.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP90\A0015259.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP91\A0015296.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP91\A0015332.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP93\A0017470.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP93\A0017518.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP93\A0017578.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP93\A0018575.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP93\A0018610.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP95\A0018691.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP95\A0018731.exe -> TrojanDownloader.Agent.fw : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP95\A0018734.exe -> TrojanDownloader.Agent.fw : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0018769.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0018803.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0018837.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0018894.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP96\A0018943.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP97\A0018979.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP97\A0019943.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP97\A0019988.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP97\A0020032.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP97\A0020070.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP97\A0020114.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP98\A0020157.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP98\A0020226.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP99\A0020357.dll -> Spyware.Xawm : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP99\A0020410.dll -> Spyware.Xawm : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\exe -> TrojanDownloader.Agent.fw : Cleaned with backup
C:\WINDOWS\SYSTEM32\532dsld.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\6TETRODLL.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\AAAsfer.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\AAMaam.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\aamDial.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\AAMDMP.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\AAMILCFG.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\AAMOSYCck.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\ACCdsm.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\ACCTRAC.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\acluctiv.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\ads3duaAPI.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\AMap3d1a.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\amd5RX.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\amdsldETE.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\atdosce.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\atmidiAPE.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\atscoOM.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\CAP3SMDFVI.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\CAPR32CIA.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\CDFMPDIN.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\CLUEDADVP.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\ctiUT.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\CTRACEiosr.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\CTRECAP.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\CTRNPNATSR.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\CTRrypt.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\CTsrvGH.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\d5im7ENG.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\d5TMbken.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\DITtl70.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\DMPAACK.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\DSLRORMF.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\DSMSTRS.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\dvpati2c.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\eamPTDL.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\eamVIC.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\EDITLM.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\edsAP.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\FIL3ABI.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\I3IAL3.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\i3TCOMPO.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\ILEBIDI.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\KCTAUTHbo.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\KCTRBK.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldpspNPN.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldpUTOVM.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\ldWAVatt.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\liceuid.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\LRKCTMISC.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\LRSCIOD.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\md53TRE.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\MONSYC.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\MSED3D.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\msLMFne.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\mxthzdmim.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\mxTRghel.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\NCLPCbthc.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\NVdlhusd.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\O4SSERL32.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\o4svvvax.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\O4SWSERES.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\ODISCA.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\PABKENlbca.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\PARDMIN.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\PCatlTML.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\PCSKMOEV.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\REDITDVP.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\ROAPmban.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\RSEMFD.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\RSESN.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\rxyerril.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\sesrhsanui.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\SRAMatsr.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\srBGEN.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\srpcsrv32.dll -> Spyware.Xawm : Cleaned with backup
C:\WINDOWS\SYSTEM32\svDANCLENG.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\thCFGN.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\thkoad.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\THMGRESKP.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\THOLEPTEX.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\ti3rx3.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\TIFPCP32.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\tl7SPRES.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\tlatme.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\TMCVI168.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\tmliios.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\tmp.exe -> Spyware.Perez.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\txfdb32.dll -> Spyware.Xawm : Cleaned with backup
C:\WINDOWS\SYSTEM32\UDITHZatq.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\USAPCI.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\VIESNPodm.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\viioNFM.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\VMEATTCMSM.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\VPACSVC.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\VTAbthstcl.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\VTAsrv.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\vutCAP.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\xprxvpsops.exe -> TrojanDropper.Small.oy : Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__VMElSys.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\telnet.exe -> TrojanDownloader.Agent.fw : Cleaned with backup

::Report End

Incident Status Location

Virus:Trj/Downloader.ABR Disinfected Operating system
Adware:Adware/Startpage.UR No disinfected C:\WINDOWS\system32\SESSYS.dll
Virus:Trj/Downloader.ABR Disinfected Operating system
Adware:adware/startpage.aao No disinfected C:\WINDOWS\SYSTEM32\favico.dat
Spyware:spyware/fastsearchweb No disinfected C:\WINDOWS\SYSTEM32\shdocpe.dll
Adware:adware/topspyware No disinfected C:\WINDOWS\SYSTEM32\srpcsrv32.dll
Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\RENE\FAVORITES\Automotive resources.url
Dialer:dialer.xd No disinfected C:\WINDOWS\switchagreement.txt
Spyware:spyware/iesearchtoolbarNo disinfected C:\PROGRAM FILES\IESearchToolbar
Adware:adware/searchcat No disinfected C:\DOCUMENTS AND SETTINGS\RENE\FAVORITES\Free Hardcore [bleep]
Dialer:dialer.bqw No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\CONC
Adware:adware/cws.homesearchasisstantNo disinfected Windows Registry
Virus:Trj/Downloader.DAT Disinfected C:\Documents and Settings\Rene\Local Settings\Temp\11C.tmp

#15
Rawe

Posted 14 August 2005 - 03:04 PM

Visiting Staff

Member
4,746 posts

What kind of problems are you having at the moment? Desktop still messed?

Please print these instructions out, or write them down, as you can't read them during the fix.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster

Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
Click "OK" at the prompt with instructions.
Click "Update" and then "Check For Update" to begin the update process.
If any updates exist please download them by clicking "Download Update" then click the X to close that window.
Now close About:Buster

Update CWShredder

Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:

Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
Reboot your computer into safe mode again

Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp! Click CleanUp and allow it to delete all the temporary files. REBOOT!!

Please run an free online anti-virus scan; Kaspersky or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

- Rawe :tazz: