trojan infection [RESOLVED]
Started by
huynh83
, Aug 09 2005 12:28 PM
-
This topic is locked
#1
Posted 09 August 2005 - 12:28 PM
huynh83
-
- Member
-
- 14 posts
Member
#2
Posted 09 August 2005 - 12:41 PM
tampabelle
-
- Retired Staff
-
- 6,363 posts
Member 5k
Please Click here!, and follow the recommendations in the guide.
If you're still having trouble, We'll need you to use a free diagnostic tool, Hijack This. Follow the instructions in step five of this guide, and reply here with your log.
Most of what Hijack This lists lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.
If you're still having trouble, We'll need you to use a free diagnostic tool, Hijack This. Follow the instructions in step five of this guide, and reply here with your log.
Most of what Hijack This lists lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.
#3
Posted 09 August 2005 - 10:49 PM
huynh83
- Topic Starter
-
- Member
-
- 14 posts
Member
i did the hijackthis scan and this is wut it says.. plz help 
Logfile of HijackThis v1.99.1
Scan saved at 7:24:38 PM, on 8/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\System32\kernels32.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ipxcons.exe
C:\program files\valve\steam\steam.exe
C:\winstall.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\leon.huynh\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hawaii.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - (no file)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [hwt2RfM9i] ipxcons.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - Startup: winupdate65016909[1].exe
O4 - Startup: winupdate92909492[1].exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c420.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...up1.0.0.8-2.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123067142531
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
Logfile of HijackThis v1.99.1
Scan saved at 7:24:38 PM, on 8/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\System32\kernels32.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ipxcons.exe
C:\program files\valve\steam\steam.exe
C:\winstall.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\leon.huynh\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hawaii.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - (no file)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [hwt2RfM9i] ipxcons.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - Startup: winupdate65016909[1].exe
O4 - Startup: winupdate92909492[1].exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c420.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...up1.0.0.8-2.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123067142531
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
#4
Posted 10 August 2005 - 10:04 AM
tampabelle
-
- Retired Staff
-
- 6,363 posts
Member 5k
Hi leon,
Please print out these instructions or copy them into a text file on your Desktop for easy access.
During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.
1. Download Programs
Please download these programs and save them in a new folder on your desktop -
CleanUp
Ewido Security Suite
Install Ewido, and update the definitions to the newest files. Do NOT run a scan yet.
CWShredder
Update CWShredder
* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder
DSRfix.zip
Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).
Run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.
Open the folder dsrfix
Run Ewido full scan. Let it fix any items it finds.
3. Run Hijack This
Run Hijack This and click on scan. The following items need to be fixed -
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - (no file)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [hwt2RfM9i] ipxcons.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - Startup: winupdate65016909[1].exe
O4 - Startup: winupdate92909492[1].exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c420.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...up1.0.0.8-2.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.
4. Delete Rogue files
Open Add or Remove Programs (click on Start ---> Settings ---> Control panel. This should be the 3rd item). Uninstall or remove the following items -
Surf SideKick 3
Media Access
Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -
Folders
C:\Program Files\SurfSideKick 3
C:\Program Files\CxtPls
C:\Program Files\Media Access
Files
C:\WINDOWS\ceres.dll
C:\WINDOWS\dsr.dll
C:\WINDOWS\System32\WinStat12.dll
C:\WINDOWS\System32\kernels32.exe
C:\winstall.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
ipxcons.exe
winupdate65016909[1].exe
winupdate92909492[1].exe
(Search for these files using the Windows Search function)
Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch. It will open the folder Prefetch. Delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!
Reboot the PC in Normal Mode.
Run Hijack This and post a fresh HJT log along with Ewido scan report.
Please print out these instructions or copy them into a text file on your Desktop for easy access.
During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.
1. Download Programs
Please download these programs and save them in a new folder on your desktop -
CleanUp
Ewido Security Suite
Install Ewido, and update the definitions to the newest files. Do NOT run a scan yet.
CWShredder
Update CWShredder
* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder
DSRfix.zip
- Unzip and EXTRACT the files to your Desktop.
- The program creates and names the new folder to house the files.
- DO NOT RUN IT YET
Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).
Run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.
Open the folder dsrfix
- Double click on the dsrfix batch file( the one with the little gear in it )
- Once dsrfix has completed it will close on its own
Run Ewido full scan. Let it fix any items it finds.
3. Run Hijack This
Run Hijack This and click on scan. The following items need to be fixed -
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - (no file)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [hwt2RfM9i] ipxcons.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - Startup: winupdate65016909[1].exe
O4 - Startup: winupdate92909492[1].exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c420.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...up1.0.0.8-2.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.
4. Delete Rogue files
Open Add or Remove Programs (click on Start ---> Settings ---> Control panel. This should be the 3rd item). Uninstall or remove the following items -
Surf SideKick 3
Media Access
Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -
Folders
C:\Program Files\SurfSideKick 3
C:\Program Files\CxtPls
C:\Program Files\Media Access
Files
C:\WINDOWS\ceres.dll
C:\WINDOWS\dsr.dll
C:\WINDOWS\System32\WinStat12.dll
C:\WINDOWS\System32\kernels32.exe
C:\winstall.exe
C:\WINDOWS\System32\vxh8jkdq2.exe
ipxcons.exe
winupdate65016909[1].exe
winupdate92909492[1].exe
(Search for these files using the Windows Search function)
Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch. It will open the folder Prefetch. Delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!
Reboot the PC in Normal Mode.
Run Hijack This and post a fresh HJT log along with Ewido scan report.
#5
Posted 10 August 2005 - 02:22 PM
huynh83
- Topic Starter
-
- Member
-
- 14 posts
Member
i followed all the steps that u had giving me. The screen is still there but the virus pop up ad is gone. here is my hijackthis scan log and the ewido scan result.
thank you
Logfile of HijackThis v1.99.1
Scan saved at 10:18:27 AM, on 8/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\sstray.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Documents and Settings\leon.huynh\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hawaii.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - Startup: winupdate65016909[1].exe
O4 - Startup: winupdate92909492[1].exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123067142531
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 9:40:22 AM, 8/10/2005
+ Report-Checksum: 979AD214
+ Scan result:
HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\CeresDll.CeresDllObj -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\CeresDll.CeresDllObj\CLSID -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\CeresDll.CeresDllObj\CurVer -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{00000000-DD60-0064-6EC2-6E0100000000} -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{00000049-8F91-4D9C-9573-F016E7626484} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2C4E6D22-B71F-491F-AAD3-B6972A650D50} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{86227D9C-0EFE-4f8a-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9527D42F-D666-11D3-B8DD-00600838CD5F} -> Spyware.GhostSurf : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{205FF73A-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{234F09FB-FE89-4C6D-9203-31832FC051C3} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{365B9A54-E613-46E5-9DB1-4F91A9DE80BD} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{618BE527-B7F5-417C-BC51-98FDC2D6DE61} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{66C22569-F05C-4A70-A142-763B337E1002} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{7B8BD940-B1EF-460C-85A2-9ACAAF7F9303} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{94984402-B480-45C7-AD2D-84E5EB52CFCD} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{99AA88D1-D9D3-410A-BE9E-044F94C183DA} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C380566D-F343-42AB-987B-6B38A1A35747} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D1951679-1D52-43FC-9585-0737143585F5} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F273D4EA-2025-4410-8408-251A0CD46BE7} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccess.Installer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccess.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccess.Installer\CurVer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\PynixDll.PynixDllObj -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\PynixDll.PynixDllObj\CLSID -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\PynixDll.PynixDllObj\CurVer -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{205FF72E-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-DD60-0064-6EC2-6E0100000000} -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000049-8F91-4D9C-9573-F016E7626484} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E246FAE-8420-11D9-870D-000C2917DE7F} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9527D42F-D666-11D3-B8DD-00600838CD5F} -> Spyware.GhostSurf : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick -> Spyware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\PowerScan -> Spyware.PowerScan : Cleaned with backup
HKLM\SOFTWARE\salm -> Spyware.180Solutions : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Apropos -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Apropos\Client -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Apropos\Client\Cookies -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Ceres -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Kazaa\Promotions\Cydoor -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\salm -> Spyware.180Solutions : Cleaned with backup
C:\lo-2128764987.exe -> TrojanDownloader.Small.agq : Cleaned with backup
C:\Program Files\Altnet\Download Manager\asmps.dll -> Spyware.Altnet : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\CxtPls\CxtPls.dll -> Trojan.Pakes : Cleaned with backup
C:\Program Files\CxtPls\plg0\cxtpls.dll -> Trojan.Pakes : Cleaned with backup
C:\Program Files\CxtPls\pstub0\proxystub.dll -> Trojan.Pakes : Cleaned with backup
C:\Program Files\CxtPls\uninstaller.exe -> Trojan.Pakes : Cleaned with backup
C:\Program Files\CxtPls\__delete_on_reboot__CxtPls.exe -> Trojan.Pakes : Cleaned with backup
C:\Program Files\CxtPls\__delete_on_reboot__proxystub.dll -> Trojan.Pakes : Cleaned with backup
C:\Program Files\INSTAFINK -> Spyware.404Search : Cleaned with backup
C:\Program Files\INSTAFINK\Cache -> Spyware.404Search : Cleaned with backup
C:\Program Files\INSTAFINK\Cache\ErrorLog.txt -> Spyware.404Search : Cleaned with backup
C:\Program Files\INSTAFINK\Cache\instafinktb0302.cfg -> Spyware.404Search : Cleaned with backup
C:\Program Files\INSTAFINK\Cache\NewCfg -> Spyware.404Search : Cleaned with backup
C:\Program Files\INSTAFINK\Uninstall.exe -> Spyware.404Search : Cleaned with backup
C:\Program Files\Media Access\__delete_on_reboot__MediaAccess.exe -> Spyware.WinAD : Cleaned with backup
C:\Program Files\Media Access\__delete_on_reboot__MediaAccK.exe -> Spyware.WinAD : Cleaned with backup
C:\Program Files\SpySheriff -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\found.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\IESecurity.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\notfound.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\ProcMon.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\removed.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.dvm -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.exe -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff_1.dat -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff_2.dat -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\Uninstall.exe -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SurfSideKick 3\Ssk.exe -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskBho.dll -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskCore.dll -> Spyware.SurfSide : Cleaned with backup
C:\WINDOWS\autoload.exe -> Not-A-Virus.Tool.Autoloader : Cleaned with backup
C:\WINDOWS\Buddy.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\ceres.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\maxd1.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\WinStat11.dll -> Spyware.Winsta : Cleaned with backup
C:\WINDOWS\system32\WinStat12.dll -> Spyware.Winsta : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__kernels32.exe -> TrojanDownloader.Small.agq : Cleaned with backup
::Report End
here is my hijackthis scan log and the ewido scan result. thank you
Logfile of HijackThis v1.99.1
Scan saved at 10:18:27 AM, on 8/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\sstray.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Documents and Settings\leon.huynh\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hawaii.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - Startup: winupdate65016909[1].exe
O4 - Startup: winupdate92909492[1].exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123067142531
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 9:40:22 AM, 8/10/2005
+ Report-Checksum: 979AD214
+ Scan result:
HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\CeresDll.CeresDllObj -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\CeresDll.CeresDllObj\CLSID -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\CeresDll.CeresDllObj\CurVer -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{00000000-DD60-0064-6EC2-6E0100000000} -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{00000049-8F91-4D9C-9573-F016E7626484} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2C4E6D22-B71F-491F-AAD3-B6972A650D50} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{86227D9C-0EFE-4f8a-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9527D42F-D666-11D3-B8DD-00600838CD5F} -> Spyware.GhostSurf : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{205FF73A-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{234F09FB-FE89-4C6D-9203-31832FC051C3} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{365B9A54-E613-46E5-9DB1-4F91A9DE80BD} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{618BE527-B7F5-417C-BC51-98FDC2D6DE61} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{66C22569-F05C-4A70-A142-763B337E1002} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{7B8BD940-B1EF-460C-85A2-9ACAAF7F9303} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{94984402-B480-45C7-AD2D-84E5EB52CFCD} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{99AA88D1-D9D3-410A-BE9E-044F94C183DA} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C380566D-F343-42AB-987B-6B38A1A35747} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D1951679-1D52-43FC-9585-0737143585F5} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F273D4EA-2025-4410-8408-251A0CD46BE7} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccess.Installer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccess.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccess.Installer\CurVer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\PynixDll.PynixDllObj -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\PynixDll.PynixDllObj\CLSID -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\PynixDll.PynixDllObj\CurVer -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{205FF72E-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-DD60-0064-6EC2-6E0100000000} -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000049-8F91-4D9C-9573-F016E7626484} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E246FAE-8420-11D9-870D-000C2917DE7F} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9527D42F-D666-11D3-B8DD-00600838CD5F} -> Spyware.GhostSurf : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick -> Spyware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\PowerScan -> Spyware.PowerScan : Cleaned with backup
HKLM\SOFTWARE\salm -> Spyware.180Solutions : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Apropos -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Apropos\Client -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Apropos\Client\Cookies -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Ceres -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Kazaa\Promotions\Cydoor -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\salm -> Spyware.180Solutions : Cleaned with backup
C:\lo-2128764987.exe -> TrojanDownloader.Small.agq : Cleaned with backup
C:\Program Files\Altnet\Download Manager\asmps.dll -> Spyware.Altnet : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\CxtPls\CxtPls.dll -> Trojan.Pakes : Cleaned with backup
C:\Program Files\CxtPls\plg0\cxtpls.dll -> Trojan.Pakes : Cleaned with backup
C:\Program Files\CxtPls\pstub0\proxystub.dll -> Trojan.Pakes : Cleaned with backup
C:\Program Files\CxtPls\uninstaller.exe -> Trojan.Pakes : Cleaned with backup
C:\Program Files\CxtPls\__delete_on_reboot__CxtPls.exe -> Trojan.Pakes : Cleaned with backup
C:\Program Files\CxtPls\__delete_on_reboot__proxystub.dll -> Trojan.Pakes : Cleaned with backup
C:\Program Files\INSTAFINK -> Spyware.404Search : Cleaned with backup
C:\Program Files\INSTAFINK\Cache -> Spyware.404Search : Cleaned with backup
C:\Program Files\INSTAFINK\Cache\ErrorLog.txt -> Spyware.404Search : Cleaned with backup
C:\Program Files\INSTAFINK\Cache\instafinktb0302.cfg -> Spyware.404Search : Cleaned with backup
C:\Program Files\INSTAFINK\Cache\NewCfg -> Spyware.404Search : Cleaned with backup
C:\Program Files\INSTAFINK\Uninstall.exe -> Spyware.404Search : Cleaned with backup
C:\Program Files\Media Access\__delete_on_reboot__MediaAccess.exe -> Spyware.WinAD : Cleaned with backup
C:\Program Files\Media Access\__delete_on_reboot__MediaAccK.exe -> Spyware.WinAD : Cleaned with backup
C:\Program Files\SpySheriff -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\found.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\IESecurity.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\notfound.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\ProcMon.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\removed.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.dvm -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.exe -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff_1.dat -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff_2.dat -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\Uninstall.exe -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SurfSideKick 3\Ssk.exe -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskBho.dll -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskCore.dll -> Spyware.SurfSide : Cleaned with backup
C:\WINDOWS\autoload.exe -> Not-A-Virus.Tool.Autoloader : Cleaned with backup
C:\WINDOWS\Buddy.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\ceres.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\maxd1.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\WinStat11.dll -> Spyware.Winsta : Cleaned with backup
C:\WINDOWS\system32\WinStat12.dll -> Spyware.Winsta : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__kernels32.exe -> TrojanDownloader.Small.agq : Cleaned with backup
::Report End
#6
Posted 10 August 2005 - 02:29 PM
tampabelle
-
- Retired Staff
-
- 6,363 posts
Member 5k
Do you still have the blue screen ????
#7
Posted 10 August 2005 - 05:35 PM
huynh83
- Topic Starter
-
- Member
-
- 14 posts
Member
The blue screen with the warning label "Your computer is INFECTED" is still there. I try changing my desktop but it wouldnt let me. Please help
#8
Posted 10 August 2005 - 07:24 PM
tampabelle
-
- Retired Staff
-
- 6,363 posts
Member 5k
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.
Place a shortcut to Panda ActiveScan on your desktop.
If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!
Next, please reboot your computer in SafeMode by doing the following:
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
Open Ad-aware and do a full scan. Remove all it finds.
Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.
Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Double click on the file to extract it to it's own folder on the desktop.
Place a shortcut to Panda ActiveScan on your desktop.
If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!
Next, please reboot your computer in SafeMode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
Open Ad-aware and do a full scan. Remove all it finds.
Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.
Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
#9
Posted 10 August 2005 - 08:18 PM
huynh83
- Topic Starter
-
- Member
-
- 14 posts
Member
Here are my logs for hijackthis and smitfiles and ewido
Logfile of HijackThis v1.99.1
Scan saved at 10:18:27 AM, on 8/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\sstray.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Documents and Settings\leon.huynh\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hawaii.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - Startup: winupdate65016909[1].exe
O4 - Startup: winupdate92909492[1].exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123067142531
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
smitRem log file
version 2.3
by noahdfear
The current date is: Wed 08/10/2005
The current time is: 16:00:48.46
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
Install.dat
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
desktop.html
~~~ Drive root ~~~
winstall.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Wininet.dll ~~~
CLEAN!
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 9:40:22 AM, 8/10/2005
+ Report-Checksum: 979AD214
+ Scan result:
HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\CeresDll.CeresDllObj -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\CeresDll.CeresDllObj\CLSID -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\CeresDll.CeresDllObj\CurVer -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{00000000-DD60-0064-6EC2-6E0100000000} -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{00000049-8F91-4D9C-9573-F016E7626484} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2C4E6D22-B71F-491F-AAD3-B6972A650D50} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{86227D9C-0EFE-4f8a-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9527D42F-D666-11D3-B8DD-00600838CD5F} -> Spyware.GhostSurf : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{205FF73A-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{234F09FB-FE89-4C6D-9203-31832FC051C3} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{365B9A54-E613-46E5-9DB1-4F91A9DE80BD} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{618BE527-B7F5-417C-BC51-98FDC2D6DE61} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{66C22569-F05C-4A70-A142-763B337E1002} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{7B8BD940-B1EF-460C-85A2-9ACAAF7F9303} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{94984402-B480-45C7-AD2D-84E5EB52CFCD} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{99AA88D1-D9D3-410A-BE9E-044F94C183DA} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C380566D-F343-42AB-987B-6B38A1A35747} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D1951679-1D52-43FC-9585-0737143585F5} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F273D4EA-2025-4410-8408-251A0CD46BE7} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccess.Installer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccess.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccess.Installer\CurVer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\PynixDll.PynixDllObj -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\PynixDll.PynixDllObj\CLSID -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\PynixDll.PynixDllObj\CurVer -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{205FF72E-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-DD60-0064-6EC2-6E0100000000} -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000049-8F91-4D9C-9573-F016E7626484} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E246FAE-8420-11D9-870D-000C2917DE7F} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9527D42F-D666-11D3-B8DD-00600838CD5F} -> Spyware.GhostSurf : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick -> Spyware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\PowerScan -> Spyware.PowerScan : Cleaned with backup
HKLM\SOFTWARE\salm -> Spyware.180Solutions : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Apropos -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Apropos\Client -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Apropos\Client\Cookies -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Ceres -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Kazaa\Promotions\Cydoor -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\salm -> Spyware.180Solutions : Cleaned with backup
C:\lo-2128764987.exe -> TrojanDownloader.Small.agq : Cleaned with backup
C:\Program Files\Altnet\Download Manager\asmps.dll -> Spyware.Altnet : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\CxtPls\CxtPls.dll -> Trojan.Pakes : Cleaned with backup
C:\Program Files\CxtPls\plg0\cxtpls.dll -> Trojan.Pakes : Cleaned with backup
C:\Program Files\CxtPls\pstub0\proxystub.dll -> Trojan.Pakes : Cleaned with backup
C:\Program Files\CxtPls\uninstaller.exe -> Trojan.Pakes : Cleaned with backup
C:\Program Files\CxtPls\__delete_on_reboot__CxtPls.exe -> Trojan.Pakes : Cleaned with backup
C:\Program Files\CxtPls\__delete_on_reboot__proxystub.dll -> Trojan.Pakes : Cleaned with backup
C:\Program Files\INSTAFINK -> Spyware.404Search : Cleaned with backup
C:\Program Files\INSTAFINK\Cache -> Spyware.404Search : Cleaned with backup
C:\Program Files\INSTAFINK\Cache\ErrorLog.txt -> Spyware.404Search : Cleaned with backup
C:\Program Files\INSTAFINK\Cache\instafinktb0302.cfg -> Spyware.404Search : Cleaned with backup
C:\Program Files\INSTAFINK\Cache\NewCfg -> Spyware.404Search : Cleaned with backup
C:\Program Files\INSTAFINK\Uninstall.exe -> Spyware.404Search : Cleaned with backup
C:\Program Files\Media Access\__delete_on_reboot__MediaAccess.exe -> Spyware.WinAD : Cleaned with backup
C:\Program Files\Media Access\__delete_on_reboot__MediaAccK.exe -> Spyware.WinAD : Cleaned with backup
C:\Program Files\SpySheriff -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\found.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\IESecurity.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\notfound.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\ProcMon.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\removed.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.dvm -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.exe -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff_1.dat -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff_2.dat -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\Uninstall.exe -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SurfSideKick 3\Ssk.exe -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskBho.dll -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskCore.dll -> Spyware.SurfSide : Cleaned with backup
C:\WINDOWS\autoload.exe -> Not-A-Virus.Tool.Autoloader : Cleaned with backup
C:\WINDOWS\Buddy.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\ceres.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\maxd1.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\WinStat11.dll -> Spyware.Winsta : Cleaned with backup
C:\WINDOWS\system32\WinStat12.dll -> Spyware.Winsta : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__kernels32.exe -> TrojanDownloader.Small.agq : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 10:18:27 AM, on 8/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\sstray.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Documents and Settings\leon.huynh\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hawaii.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - Startup: winupdate65016909[1].exe
O4 - Startup: winupdate92909492[1].exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123067142531
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
smitRem log file
version 2.3
by noahdfear
The current date is: Wed 08/10/2005
The current time is: 16:00:48.46
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
Install.dat
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
desktop.html
~~~ Drive root ~~~
winstall.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Wininet.dll ~~~
CLEAN!
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 9:40:22 AM, 8/10/2005
+ Report-Checksum: 979AD214
+ Scan result:
HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\CeresDll.CeresDllObj -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\CeresDll.CeresDllObj\CLSID -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\CeresDll.CeresDllObj\CurVer -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{00000000-DD60-0064-6EC2-6E0100000000} -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{00000049-8F91-4D9C-9573-F016E7626484} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2C4E6D22-B71F-491F-AAD3-B6972A650D50} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{86227D9C-0EFE-4f8a-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9527D42F-D666-11D3-B8DD-00600838CD5F} -> Spyware.GhostSurf : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{205FF73A-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{234F09FB-FE89-4C6D-9203-31832FC051C3} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{365B9A54-E613-46E5-9DB1-4F91A9DE80BD} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{618BE527-B7F5-417C-BC51-98FDC2D6DE61} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{66C22569-F05C-4A70-A142-763B337E1002} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{7B8BD940-B1EF-460C-85A2-9ACAAF7F9303} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{94984402-B480-45C7-AD2D-84E5EB52CFCD} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{99AA88D1-D9D3-410A-BE9E-044F94C183DA} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C380566D-F343-42AB-987B-6B38A1A35747} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D1951679-1D52-43FC-9585-0737143585F5} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F273D4EA-2025-4410-8408-251A0CD46BE7} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccess.Installer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccess.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccess.Installer\CurVer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\PynixDll.PynixDllObj -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\PynixDll.PynixDllObj\CLSID -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\PynixDll.PynixDllObj\CurVer -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{205FF72E-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-DD60-0064-6EC2-6E0100000000} -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000049-8F91-4D9C-9573-F016E7626484} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E246FAE-8420-11D9-870D-000C2917DE7F} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9527D42F-D666-11D3-B8DD-00600838CD5F} -> Spyware.GhostSurf : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick -> Spyware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\PowerScan -> Spyware.PowerScan : Cleaned with backup
HKLM\SOFTWARE\salm -> Spyware.180Solutions : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Apropos -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Apropos\Client -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Apropos\Client\Cookies -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Ceres -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Kazaa\Promotions\Cydoor -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1614895754-1960408961-839522115-1003\Software\salm -> Spyware.180Solutions : Cleaned with backup
C:\lo-2128764987.exe -> TrojanDownloader.Small.agq : Cleaned with backup
C:\Program Files\Altnet\Download Manager\asmps.dll -> Spyware.Altnet : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\CxtPls\CxtPls.dll -> Trojan.Pakes : Cleaned with backup
C:\Program Files\CxtPls\plg0\cxtpls.dll -> Trojan.Pakes : Cleaned with backup
C:\Program Files\CxtPls\pstub0\proxystub.dll -> Trojan.Pakes : Cleaned with backup
C:\Program Files\CxtPls\uninstaller.exe -> Trojan.Pakes : Cleaned with backup
C:\Program Files\CxtPls\__delete_on_reboot__CxtPls.exe -> Trojan.Pakes : Cleaned with backup
C:\Program Files\CxtPls\__delete_on_reboot__proxystub.dll -> Trojan.Pakes : Cleaned with backup
C:\Program Files\INSTAFINK -> Spyware.404Search : Cleaned with backup
C:\Program Files\INSTAFINK\Cache -> Spyware.404Search : Cleaned with backup
C:\Program Files\INSTAFINK\Cache\ErrorLog.txt -> Spyware.404Search : Cleaned with backup
C:\Program Files\INSTAFINK\Cache\instafinktb0302.cfg -> Spyware.404Search : Cleaned with backup
C:\Program Files\INSTAFINK\Cache\NewCfg -> Spyware.404Search : Cleaned with backup
C:\Program Files\INSTAFINK\Uninstall.exe -> Spyware.404Search : Cleaned with backup
C:\Program Files\Media Access\__delete_on_reboot__MediaAccess.exe -> Spyware.WinAD : Cleaned with backup
C:\Program Files\Media Access\__delete_on_reboot__MediaAccK.exe -> Spyware.WinAD : Cleaned with backup
C:\Program Files\SpySheriff -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\found.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\IESecurity.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\notfound.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\ProcMon.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\removed.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.dvm -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.exe -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff_1.dat -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff_2.dat -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\Uninstall.exe -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SurfSideKick 3\Ssk.exe -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskBho.dll -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskCore.dll -> Spyware.SurfSide : Cleaned with backup
C:\WINDOWS\autoload.exe -> Not-A-Virus.Tool.Autoloader : Cleaned with backup
C:\WINDOWS\Buddy.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\ceres.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\maxd1.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\WinStat11.dll -> Spyware.Winsta : Cleaned with backup
C:\WINDOWS\system32\WinStat12.dll -> Spyware.Winsta : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__kernels32.exe -> TrojanDownloader.Small.agq : Cleaned with backup
::Report End
#10
Posted 10 August 2005 - 08:20 PM
huynh83
- Topic Starter
-
- Member
-
- 14 posts
Member
Well that fix my blue screen problem thx a lot. jus a couple question i like to ask 1. Im using systems suite antivirus protection, is that good? 2. Can i delete all the stuff that i've downloaded and saved to fix this problem. 3. What is a good free anti virus program out there that would prevent this kind of problem from happening again? thanks you
jus a couple question i like to ask 1. Im using systems suite antivirus protection, is that good? 2. Can i delete all the stuff that i've downloaded and saved to fix this problem. 3. What is a good free anti virus program out there that would prevent this kind of problem from happening again? thanks you
#11
Posted 11 August 2005 - 09:06 AM
tampabelle
-
- Retired Staff
-
- 6,363 posts
Member 5k
Copy the following in a new text file in Notepad and save it as fix.reg (make sure the Save as Type is set to All Files) -
Double click on fix.reg and merge it with your Registry.
Reboot the PC in Safe Mode.
Open Add or Remove Programs (click on Start ---> Settings ---> Control panel. This should be the 3rd item). Uninstall or remove the following items -
AWS
Weatherbug
Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -
Folders
C:\Program Files\Altnet
C:\Program Files\AWS
C:\Program Files\CxtPls
C:\Program Files\INSTAFINK
C:\Program Files\Media Access
C:\Program Files\SpySheriff
C:\Program Files\SurfSideKick 3
Files
C:\lo-2128764987.exe
C:\WINDOWS\autoload.exe
C:\WINDOWS\Buddy.exe
C:\WINDOWS\ceres.dll
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll
C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.exe
C:\WINDOWS\system32\maxd1.exe
C:\WINDOWS\system32\WinStat11.dll
C:\WINDOWS\system32\WinStat12.dll
C:\WINDOWS\system32\__delete_on_reboot__kernels32.exe
Reboot the PC in Normal Mode and let me know how it goes.
I will then tell you about the preventive measure that you should be taking to keep your PC clean.
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\adm.EXE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CeresDll.CeresDllObj]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CeresDll.CeresDllObj\CLSID]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CeresDll.CeresDllObj\CurVer]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000000-DD60-0064-6EC2-6E0100000000}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000049-8F91-4D9C-9573-F016E7626484}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{016235BE-59D4-4CEB-ADD5-E2378282A1D9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{205FF73B-CA67-11D5-99DD-444553540006}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C4E6D22-B71F-491F-AAD3-B6972A650D50}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2E246FAE-8420-11D9-870D-000C2917DE7F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86227D9C-0EFE-4f8a-AA55-30386A3F5686}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9527D42F-D666-11D3-B8DD-00600838CD5F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{205FF73A-CA67-11D5-99DD-444553540006}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{234F09FB-FE89-4C6D-9203-31832FC051C3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{365B9A54-E613-46E5-9DB1-4F91A9DE80BD}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{618BE527-B7F5-417C-BC51-98FDC2D6DE61}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{66C22569-F05C-4A70-A142-763B337E1002}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7B8BD940-B1EF-460C-85A2-9ACAAF7F9303}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{94984402-B480-45C7-AD2D-84E5EB52CFCD}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{99AA88D1-D9D3-410A-BE9E-044F94C183DA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C380566D-F343-42AB-987B-6B38A1A35747}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1951679-1D52-43FC-9585-0737143585F5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F273D4EA-2025-4410-8408-251A0CD46BE7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaAccess.Installer]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaAccess.Installer\CLSID]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaAccess.Installer\CurVer]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaAccX.Installer]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaAccX.Installer\CLSID]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PynixDll.PynixDllObj]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PynixDll.PynixDllObj\CLSID -> Spyware.BetterInternet : Cleaned with backup]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PynixDll.PynixDllObj\CurVer]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{205FF72E-CA67-11D5-99DD-444553540006}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540006}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-DD60-0064-6EC2-6E0100000000}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000049-8F91-4D9C-9573-F016E7626484}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{016235BE-59D4-4CEB-ADD5-E2378282A1D9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2E246FAE-8420-11D9-870D-000C2917DE7F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9527D42F-D666-11D3-B8DD-00600838CD5F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Avenue Media]
[-HKEY_LOCAL_MACHINE\SOFTWARE\PowerScan]
[-HKEY_LOCAL_MACHINE\SOFTWARE\salm]
[-HKEY_USERS\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Apropos]
[-HKEY_USERS\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Apropos\Client]
[-HKEY_USERS\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Apropos\Client\Cookies]
[-HKEY_USERS\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Ceres]
[-HKEY_USERS\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Kazaa\Promotions\Cydoor]
[-HKEY_USERS\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329]
[-HKEY_USERS\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4]
[-HKEY_USERS\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt]
[-HKEY_USERS\S-1-5-21-1614895754-1960408961-839522115-1003\Software\Policies\Avenue Media]
[-HKEY_USERS\S-1-5-21-1614895754-1960408961-839522115-1003\Software\salm]
Double click on fix.reg and merge it with your Registry.
Reboot the PC in Safe Mode.
Open Add or Remove Programs (click on Start ---> Settings ---> Control panel. This should be the 3rd item). Uninstall or remove the following items -
AWS
Weatherbug
Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -
Folders
C:\Program Files\Altnet
C:\Program Files\AWS
C:\Program Files\CxtPls
C:\Program Files\INSTAFINK
C:\Program Files\Media Access
C:\Program Files\SpySheriff
C:\Program Files\SurfSideKick 3
Files
C:\lo-2128764987.exe
C:\WINDOWS\autoload.exe
C:\WINDOWS\Buddy.exe
C:\WINDOWS\ceres.dll
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll
C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.exe
C:\WINDOWS\system32\maxd1.exe
C:\WINDOWS\system32\WinStat11.dll
C:\WINDOWS\system32\WinStat12.dll
C:\WINDOWS\system32\__delete_on_reboot__kernels32.exe
Reboot the PC in Normal Mode and let me know how it goes.
I will then tell you about the preventive measure that you should be taking to keep your PC clean.
Edited by tampabelle, 11 August 2005 - 09:07 AM.
#12
Posted 11 August 2005 - 12:53 PM
huynh83
- Topic Starter
-
- Member
-
- 14 posts
Member
I did that, everything seems to be good. thanks alot
thanks alot
#13
Posted 11 August 2005 - 12:56 PM
tampabelle
-
- Retired Staff
-
- 6,363 posts
Member 5k
Can you post a fresh HJT log please ??
#14
Posted 11 August 2005 - 01:37 PM
huynh83
- Topic Starter
-
- Member
-
- 14 posts
Member
Logfile of HijackThis v1.99.1
Scan saved at 9:37:21 AM, on 8/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hix\mirc.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\leon.huynh\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hawaii.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - Startup: winupdate65016909[1].exe
O4 - Startup: winupdate92909492[1].exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123067142531
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
Scan saved at 9:37:21 AM, on 8/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hix\mirc.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\leon.huynh\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hawaii.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - Startup: winupdate65016909[1].exe
O4 - Startup: winupdate92909492[1].exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123067142531
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
#15
Posted 11 August 2005 - 05:48 PM
tampabelle
-
- Retired Staff
-
- 6,363 posts
Member 5k
Hi,
We need to fix these two items -
Run Hijack This and click on scan. The following items need to be fixed -
O4 - Startup: winupdate65016909[1].exe
O4 - Startup: winupdate92909492[1].exe
Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.
Reboot the PC in Safe Mode.
Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following files -
Files
winupdate65016909[1].exe
winupdate92909492[1].exe
Reboot the PC in Normal Mode and post a fresh HJT log
We need to fix these two items -
Run Hijack This and click on scan. The following items need to be fixed -
O4 - Startup: winupdate65016909[1].exe
O4 - Startup: winupdate92909492[1].exe
Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.
Reboot the PC in Safe Mode.
Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following files -
Files
winupdate65016909[1].exe
winupdate92909492[1].exe
Reboot the PC in Normal Mode and post a fresh HJT log
Edited by tampabelle, 11 August 2005 - 05:48 PM.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
