Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help [CLOSED]

Started by bondjamesbond , Aug 06 2005 10:30 PM

  • This topic is locked This topic is locked

#16
bondjamesbond
Posted 08 August 2005 - 09:48 PM

bondjamesbond

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
here are the results that you requested i did not save the results for the panda scan, i will run it again, but here are the others in the meantime:

Logfile of HijackThis v1.99.1
Scan saved at 10:44:50 PM, on 8/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\kem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Tony\Desktop\geeks to go\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [rikr] C:\PROGRA~1\COMMON~1\rikr\rikrm.exe
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {CF392BE0-B84F-46E9-BDA9-845119819119} (IPAQSelfHelp Class) - http://isupport4.hp....SPEIPAQTool.CAB
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102...hm::/update.exe
O18 - Protocol: bw+0 - {24D64396-AA8D-477C-9AD4-2BF4D616C394} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

----------------------------------------------------------------------------------------------

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:34:11 PM, 8/8/2005
+ Report-Checksum: 4FB6350C

+ Scan result:

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP285\A0051839.exe -> Trojan.Small.cy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP285\A0051840.dll -> Spyware.404Search : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP285\A0051841.dll -> TrojanDownloader.WinShow.u : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP285\A0051842.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP285\A0051872.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP285\A0051913.exe -> Trojan.Small.ev : Cleaned with backup


::Report End
  • 0

Advertisements

#17
kool808
Posted 09 August 2005 - 05:22 AM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
looking very good, you did it very well! :tazz: Your log is much much better now.

the rikr is a toughie:

+++++++++++++++++++++++++++++++
Search for the jobs:

Open notepad and copy and paste next in it:

dir %Windir%\tasks /a h > files.txt
notepad files.txt

Save this as findjobs.bat , choose to save it as *all files and place it on your desktop.

Doubleclick on findjobs.bat and post the content of the txtfile you get in your next reply.
(NOTE: You can delete this file afterwards.)

+++++++++++++++++++++++++++++++
  • Open HijackThis
  • go to Config, then Misc Tools
  • Open Uninstall Manager, then click Save List...
  • Post the results here
  • close HJT
Open up NOTEPAD, then copy & paste the following commands. Save it to desktop as findpf.bat. Save it as file type all files.

@echo off
cd\
dir %System Root%\PROGRA~1 > pflist.txt
notepad pflist.txt

Now on your desktop double-click findpf.bat then post the results in your next reply.
(NOTE: You can delete this file afterwards.)
+++++++++++++++++++++++++++++++


I need to see all requested logs including the previous ones: SmitRem , Panda Scans , findjobs, Uninstall List, pflist.txt
  • 0

#18
bondjamesbond
Posted 14 August 2005 - 09:47 AM

bondjamesbond

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hello kool808, sorry for the delay in response, I was away on business.
Anyway here the reports you wanted to see after i performed the tasks on your latest post

findjobs result

Volume in drive C has no label.
Volume Serial Number is 448B-CE18

Directory of C:\WINDOWS\tasks

06/13/2003 05:51 PM <DIR> .
06/13/2003 05:51 PM <DIR> ..
08/29/2002 05:00 AM 65 DESKTOP.INI
07/01/2005 08:00 PM 462 Norton AntiVirus - Scan my computer.job
08/14/2005 09:51 AM 6 SA.DAT
08/14/2005 09:54 AM 412 Symantec NetDetect.job
4 File(s) 945 bytes

Directory of C:\Documents and Settings\Tony\Desktop



findpf results

Volume in drive C has no label.
Volume Serial Number is 448B-CE18

Directory of C:\PROGRA~1

08/07/2005 04:56 PM <DIR> .
08/07/2005 04:56 PM <DIR> ..
07/06/2003 03:42 PM <DIR> Adobe
12/08/2004 09:38 PM <DIR> av
06/13/2003 06:56 PM <DIR> AvantGo Connect
03/06/2005 07:00 PM <DIR> Cakewalk
08/07/2005 05:13 PM <DIR> CleanUp!
08/08/2005 10:35 PM <DIR> Common Files
06/06/2003 03:55 PM <DIR> ComPlus Applications
06/06/2003 04:09 PM <DIR> CONEXANT
06/06/2003 04:21 PM <DIR> Dell
06/06/2003 04:22 PM <DIR> Dell Computer
06/06/2003 04:21 PM <DIR> Digital Line Detect
10/19/2003 09:39 PM <DIR> DJ2000
08/07/2005 12:17 AM <DIR> ewido
07/01/2005 10:03 PM <DIR> FLStudio4
07/06/2005 08:59 AM <DIR> Google
06/21/2003 12:04 PM 808 INSTALL.LOG
11/13/2004 12:50 AM <DIR> Internet Explorer
05/08/2005 08:49 PM <DIR> iPod
05/08/2005 08:50 PM <DIR> iTunes
06/06/2003 04:22 PM <DIR> Jasc Software Inc
06/13/2003 07:02 PM <DIR> K-Lite Codec Pack
02/07/2004 12:08 AM <DIR> Lavasoft
11/16/2003 08:48 PM <DIR> LexarMedia
07/03/2005 08:39 PM <DIR> Logitech
01/31/2004 03:34 PM <DIR> Messenger
06/13/2003 06:50 PM <DIR> Microsoft ActiveSync
06/06/2003 04:27 PM <DIR> Microsoft Encarta
06/06/2003 03:55 PM <DIR> microsoft frontpage
06/19/2005 04:49 PM <DIR> Microsoft IntelliType Pro
06/19/2005 04:48 PM <DIR> Microsoft IntelliType Pro 5.2
06/06/2003 04:26 PM <DIR> Microsoft Money
06/06/2003 04:25 PM <DIR> Microsoft Office
06/06/2003 04:27 PM <DIR> Microsoft Picture It! 7
03/05/2005 02:40 PM <DIR> Microsoft SQL Server
06/06/2003 04:26 PM <DIR> Microsoft Streets & Trips
06/06/2003 04:26 PM <DIR> Microsoft Works
06/06/2003 04:24 PM <DIR> Microsoft Works Suite 2003
06/06/2003 04:22 PM <DIR> Modem Helper
06/06/2003 03:55 PM <DIR> Movie Maker
08/06/2005 11:19 PM <DIR> Mozilla Firefox
03/07/2004 08:37 PM <DIR> mozilla.org
01/31/2004 03:44 PM <DIR> MSN
06/06/2003 03:55 PM <DIR> MSN Gaming Zone
11/07/2004 09:46 PM <DIR> MUSICMATCH
04/18/2005 06:45 PM <DIR> MyWay
05/05/2004 09:55 PM <DIR> NetMeeting
06/06/2003 04:22 PM <DIR> NetWaiting
08/06/2005 11:19 PM <DIR> Norton AntiVirus
06/06/2003 03:55 PM <DIR> Online Services
01/31/2005 07:22 PM <DIR> OrionPro
08/27/2004 11:25 AM <DIR> Outlook Express
05/08/2005 08:50 PM <DIR> QuickTime
03/16/2005 11:31 PM <DIR> Real
03/12/2004 12:16 AM <DIR> REDPEPR
03/06/2005 07:01 PM <DIR> Research In Motion
01/05/2005 11:20 AM <DIR> Rogers
06/06/2003 04:27 PM <DIR> Roxio
07/20/2003 08:19 PM <DIR> Sierra Imaging
11/13/2004 12:54 AM <DIR> Solid Edge V16
03/05/2005 02:37 PM <DIR> Sony
03/05/2005 02:36 PM <DIR> Sony Setup
08/04/2005 10:17 PM <DIR> Soulseek
06/21/2003 10:09 AM <DIR> Symantec
07/01/2005 10:04 PM <DIR> Vstplugins
08/06/2005 09:10 AM <DIR> Winamp
09/20/2004 09:40 PM <DIR> Windows Media Player
06/06/2003 03:55 PM <DIR> Windows NT
03/31/2004 11:56 PM <DIR> WinZip
06/06/2003 03:55 PM <DIR> XEROX
01/05/2005 11:30 AM <DIR> Yahoo!
1 File(s) 808 bytes
71 Dir(s) 37,563,473,920 bytes



Uninstall list

Ad-aware 6 Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop 7.0
Adobe Reader 6.0
AutoVue
BlackBerry Desktop Manager 3.6
Broadcom Advanced Control Suite
CleanUp!
Conexant SmartHSFi V92 56K DF PCI Modem
DAO
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Digital Line Detect
Easy CD Creator 5 Basic
HijackThis 1.99.1
Image Expert
Intel® Extreme Graphics Driver
Internet Explorer Q822925
iPod for Windows 2005-02-07
iTunes
K-Lite Codec Pack
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Logitech Desktop Messenger
Logitech SetPoint
Lotus Notes 5.0 Connector (remove only)
Microsoft .NET Framework 1.1
Microsoft ActiveSync 3.5
Microsoft Encarta Encyclopedia Standard 2003
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Office XP Professional with FrontPage
Microsoft Picture It! Photo 7.0
Microsoft Project 2000
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft Streets and Trips 2002
Microsoft Word 2002
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
Mozilla (1.7a)
Mozilla Firefox (1.0PR)
NetWaiting
Norton AntiVirus 2003
Orion Pro v5.8 Demo
Outlook Express Update Q330994
Paint Shop Pro 7
Panda ActiveScan
pdfFactory Pro
QuickTime
RealPlayer
REDPEPR
Rogers Self Healing (remove only)
Rogers Self Healing (remove only)
Rogers Update Manager (remove only)
Rogers Yahoo! Applications
SafeGuard
Scientific Atlanta DPX2100 USB Cable Modem
Solid Edge V16
Sony ACID Pro 5.0
SoulSeek Client 156c
USB Storage Driver
Winamp (remove only)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB835732
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q328310
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q331953
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q811493
Windows XP Hotfix (SP2) Q814033
Windows XP Hotfix (SP2) Q815021
Windows XP Hotfix (SP2) Q817606
Windows XP Hotfix (SP2) Q819696
WinZip
Yahoo! Install Manager


Panda scan result

Incident Status Location

Adware:adware/cws No disinfected C:\Documents and Settings\Tony\Favorites\Fun & Games\Casino Palace.lnk
Virus:W32/Smitfraud.E Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP285\A0051852.old
Virus:W32/Smitfraud.E Disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP285\A0051947.old
Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\f10213.exe
Adware:adware/comet No disinfected C:\WINDOWS\INF\dm.PNF
Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32m.sys
I was not able to see or save the results of the SMITREM scan.
Also I noticed now when I load up my PC a key register error comes up before WIndows XP becomes active. I will post the exact key registry error message in my next post once I reboot and record the error.

Thanks, regards BJB

Thanks, regards
  • 0

#19
bondjamesbond
Posted 14 August 2005 - 11:20 AM

bondjamesbond

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
the error message i get when i start up windows xp is:
isactiveguard: regopenkeyex failed 2.2

thanks, regards. BJB
  • 0

#20
kool808
Posted 15 August 2005 - 05:13 AM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
reboot in safe mode.

Open IE, FAVORITES > delete this URL
C:\Documents and Settings\Tony\Favorites\Fun & Games\Casino Palace.lnk

delete these folders/files through windows explorer
C:\Program Files\MyWay\ <-- whole folder
C:\WINDOWS\Downloaded Program Files\f10213.exe
C:\WINDOWS\INF\dm.PNF
C:\WINDOWS\smdat32m.sys

empty recycle bin.

reboot back in Normal Mode.

download CCleaner http://www.majorgeeks.com/download4191.html
* after installation, go to ISSUES > Scan for Issues (be sure to put a check mark on all boxes) > fix all found corrupted and bad registry entries.
* go to CLEANER > Run Cleaner
close CCleaner.

reboot once again.

post a new hijackthis log.

How is your system running.
  • 0

#21
bondjamesbond
Posted 20 August 2005 - 10:13 AM

bondjamesbond

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
hello kool808, here is the highjack this log after your requested actions from your last post:

Logfile of HijackThis v1.99.1
Scan saved at 11:09:09 AM, on 8/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\kem.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Tony\Desktop\geeks to go\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {CF392BE0-B84F-46E9-BDA9-845119819119} (IPAQSelfHelp Class) - http://isupport4.hp....SPEIPAQTool.CAB
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102...hm::/update.exe
O18 - Protocol: bw+0 - {24D64396-AA8D-477C-9AD4-2BF4D616C394} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

I am still having this dialog box saying "isactiveguard: regopenkeyex failed 2 0" when I boot up my system.

Thanks, BJB
  • 0

#22
kool808
Posted 20 August 2005 - 05:55 PM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Open up NOTEPAD, then copy & paste the follwing codes (starting from @echo off). Save it on desktop as findme.bat. Choose file types as ALL FILES.

@echo off
regedit /e error.reg HKEY_LOCAL_MACHINE\SOFTWARE\ewido
type error.reg > results.txt
notepad results.txt

Now double-click findme.bat, post the results here.
(NOTE: You can delete this file afterwards.)
  • 0

#23
bondjamesbond
Posted 21 August 2005 - 10:37 AM

bondjamesbond

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
per your request:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\ewido]

[HKEY_LOCAL_MACHINE\SOFTWARE\ewido\config]
"29033DA5"=hex:a9,6f,de,bc,93,e5,9d,f6

[HKEY_LOCAL_MACHINE\SOFTWARE\ewido\config\nmqdcp]
"ryjimw?"=hex:e2,8b,e3,23,59
"ryjimw?"=hex:03,c4,cf

[HKEY_LOCAL_MACHINE\SOFTWARE\ewido\config\pslbyxiiwi]
"e{uh"=hex:79,2e
"e{uhh|tgv"=hex:35
"g}mgu"=hex:35
"z{jxuu,,"=hex:79,2e
"svw{}gmwvx"=hex:0d,7d,ff,0e,aa,00,d1,15,ee,19
"svw{}guwux"=hex:f7,89,e9,23,59

[HKEY_LOCAL_MACHINE\SOFTWARE\ewido\config\pslb{qiuh]
"xwxwz|"=hex:79,2e
"xptixon"=hex:79,2e

[HKEY_LOCAL_MACHINE\SOFTWARE\ewido\config\symdix~]
"tgjxo|oukoi"=hex:fc,89,e1,23,59
"cwxuwhuketil|ltj"=hex:78,2e
  • 0

#24
kool808
Posted 22 August 2005 - 05:08 AM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Are comfortable editing the registry? We are going to do some editing.
  • START > RUN > regedit
  • locate the HKEY_LOCAL_MACHINE folder
  • expand it by clicking the [+] button
  • locate the SOFTWARE folder
  • expand it by clicking the [+] button
  • now under the SOFTWARE folder, right-click to the ewido folder
  • from the right-click selections, please choose Permissions...
  • under the Security tab, please choose SYSTEM
  • You will be able to see 3 choices: Full control, Read, Special Permissions.
  • Uncheck all boxes under the Deny category
  • Check all boxes for Allow category
  • click OK, then close Registry Editor
If there is no error experienced, please post a new hijackthis log.

Edited by kool808, 22 August 2005 - 07:04 AM.

  • 0

#25
kool808
Posted 12 September 2005 - 07:12 PM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP