Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

psguard problem - hijackthis log

Started by rstr44 , Aug 11 2005 07:35 PM

  • Please log in to reply

#1
rstr44
Posted 11 August 2005 - 07:35 PM

rstr44

    New Member

  • Member
  • Pip
  • 8 posts
Hi - I have PSGuard on my computer, and I can't seem to get rid of it. I've gone through all the steps described in "before you post a hijack this log," and after doing all that, I ran Hijack this. My hijack this log is posted below.

Adaware and Spybot continue to detect PSGuard, after I've repeatedly tried to delete it using uninstall, and using Adaware and then Spybot, and rebooting each time. I also ran Panda Activescan, and it found several other adware/spyware programs and dialers. I've posted the Panda log after the Hijack this log. I ran Panda (and the other steps in your "before you post" list) before doing a Hijackthis scan.

Thanks for any help you can give for getting rid of PSGuard and any other malware you see here.

Rstr44

--------------------------------

HIJACK THIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 6:28:47 PM, on 8/11/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\PROGRAM FILES\SOPHOS\REMOTE UPDATE\CACHEMGR.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TEMP\ICSUPP95.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\ALISNDMG.EXE
C:\WINDOWS\SYSTEM\TPWRTRAY.EXE
C:\WINDOWS\SYSTEM\TFNCKY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\UCLA STC\STCPE\STCPE.EXE
C:\PROGRAM FILES\SOPHOS SWEEP\ICMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\INTELL32.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TOSHIBA\NETDEVSW\NETDEVSW.EXE
C:\PROGRAM FILES\MICROSOFT REFERENCE\BIBLIOROM LAROUSSE 2.0\QSHLF2F.EXE
C:\PROGRAM FILES\SPACE INTERNATIONAL\CDSPACE 5\LCDPLYER.EXE
C:\PROGRAM FILES\SOPHOS\REMOTE UPDATE\IMONITOR.EXE
C:\PROGRAM FILES\SPACE INTERNATIONAL\CDSPACE 5\CDSLICENSEMNG.EXE
C:\PROGRAM FILES\UCLA STC\STCPE\STCSCAN.EXE
C:\PROGRAM FILES\SOPHOS SWEEP\SWEEP95.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bol.ucla.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ALiSndMgr] ALiSndMg.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [STCPE] "C:\Program Files\UCLA STC\STCPE\STCPE.exe"
O4 - HKLM\..\Run: [InterCheckMonitor] "C:\PROGRAM FILES\SOPHOS SWEEP\ICMON.EXE" -minimised
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [vmtuner] gglib.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [THotkey] C:\WINDOWS\SYSTEM\THotkey.exe
O4 - HKLM\..\RunServices: [CacheMgr] C:\PROGRAM FILES\SOPHOS\REMOTE UPDATE\CACHEMGR.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [Sweep95] C:\Program Files\Sophos SWEEP\ICLOAD95.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSW\NetDevSW.exe
O4 - Startup: QuickShelf Fr.lnk = C:\Program Files\Microsoft Reference\Bibliorom Larousse 2.0\QShlf2f.exe
O4 - Startup: LCDPlayer.lnk = C:\Program Files\SPACE INTERNATIONAL\CDSpace 5\LCDPlyer.exe
O4 - Startup: STCPE.lnk = C:\Program Files\UCLA STC\STCPE\stcpe.exe
O4 - Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .php: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {7935ACFD-5007-4C61-B603-3FEA6097871C} (stcpeX.stcpeocx) - http://phi.resnet.uc...Reg2/stcpeX.CAB
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://phi.resnet.uc...E6SP1/setup.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab



----------------------------------------------
PANDA ACTIVE SCAN LOG:


Incident Status Location

Virus:Trj/Clicker.AH Disinfected C:\_RESTORE\TEMP\A0080620.CPY
Virus:W32/Smitfraud.E Disinfected C:\_RESTORE\TEMP\WININET.2
Virus:W32/Smitfraud.E No disinfected C:\_RESTORE\ARCHIVE\FS274.CAB[A0079560.CPY]
Virus:W32/Smitfraud.E No disinfected C:\_RESTORE\ARCHIVE\FS268.CAB[W0119241.CPY]
Virus:W32/Smitfraud.E No disinfected C:\_RESTORE\ARCHIVE\FS277.CAB[W0119918.CPY]
Virus:Trj/Clicker.AH No disinfected C:\_RESTORE\ARCHIVE\FS265.CAB[A0078352.CPY]
Virus:Trj/Clicker.AH No disinfected C:\_RESTORE\ARCHIVE\FS271.CAB[A0079441.CPY]
Virus:W32/Smitfraud.E Disinfected C:\WINDOWS\SYSTEM\sfp\archive\WININET.DLL
Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM\winupdt.bin
Adware:adware/ncase No disinfected C:\WINDOWS\SYSTEM\saieau.dat
Virus:Trj/Clicker.AH Disinfected C:\WINDOWS\SYSTEM\gglib.exe
Virus:W32/Smitfraud.E Disinfected C:\WINDOWS\SYSTEM\WININET.DLL
Adware:adware/psguard No disinfected C:\WINDOWS\SYSTEM\intell32.exe
Dialer:Dialer.BFH No disinfected C:\WINDOWS\TEMP\msldf.exe
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINDOWS\TEMP\toc_0033.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\TEMP\randreco.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\TEMP\suicidetb.exe
Adware:Adware/Pacimedia No disinfected C:\WINDOWS\TEMP\ptf_0004.exe
Virus:Trj/Clicker.AH Disinfected C:\WINDOWS\TEMP\pav50C5.TMP
Virus:W32/Smitfraud.E No disinfected C:\WINDOWS\TEMP\pav22B3.TMP[A0079560.CPY]
Virus:W32/Smitfraud.E No disinfected C:\WINDOWS\TEMP\pav3017.TMP[W0119241.CPY]
Virus:W32/Smitfraud.E No disinfected C:\WINDOWS\TEMP\pav3095.TMP[W0119918.CPY]
Virus:Trj/Clicker.AH No disinfected C:\WINDOWS\TEMP\pav31A0.TMP[A0078352.CPY]
Virus:Trj/Clicker.AH No disinfected C:\WINDOWS\TEMP\pav3217.TMP[A0079441.CPY]
Virus:Trj/Clicker.AH Disinfected C:\WINDOWS\TEMP\pavB060.TMP
Spyware:spyware/surfsidekick No disinfected C:\WINDOWS\Application Data\Sskknwrd.dll
Dialer:Dialer.NO No disinfected C:\WINDOWS\Downloaded Program Files\gdnUS2044.exe
  • 0

Advertisements

#2
don77
Posted 16 August 2005 - 05:48 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi rstr44 and welcome
Sorry for the delay in response,

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.



If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Next,
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log by using Add Reply.
Let us know if any problems persist.

Edited by don77, 16 August 2005 - 06:13 PM.

  • 0

#3
rstr44
Posted 16 August 2005 - 06:03 PM

rstr44

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
The computer the problem is on has Windows ME - Ewido says it's only for 2000 and XP? Can I install it with ME?
  • 0

#4
don77
Posted 16 August 2005 - 06:15 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Sorry about that, I modified the previous instructions :tazz:

No Ewido wont run on ME, My bad
  • 0

#5
rstr44
Posted 16 August 2005 - 10:00 PM

rstr44

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I've followed all your instructions. Thanks a lot for your help.
Incidentally, I didn't see a checkbox for "autoclean" in Panda Activescan, and this version of Windows doesn't seem to have the options for " Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" "

Here are the logfiles:

SMITREM:


smitRem log file
version 2.3

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

PSGuard spyware remover.lnk
quick launch PSGuard spyware remover.lnk


~~~ Favorites ~~~



~~~ system folder ~~~


intell32.exe
oleext.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

PSGuard spyware remover.lnk
quick launch PSGuard spyware remover.lnk


~~~ Favorites ~~~



~~~ system folder ~~~


oleext.dll


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Clean!! :tazz:



---------------------------------
PANDA ACTIVESCAN



Incident Status Location

Virus:Trj/Clicker.AH Disinfected C:\_RESTORE\TEMP\A0080620.CPY
Virus:W32/Smitfraud.E Disinfected C:\_RESTORE\TEMP\WININET.2
Virus:Trj/Clicker.AH Disinfected C:\_RESTORE\TEMP\A0085122.CPY
Virus:W32/Smitfraud.E Disinfected C:\_RESTORE\TEMP\WININET.4
Virus:W32/Smitfraud.E No disinfected C:\_RESTORE\ARCHIVE\FS274.CAB[A0079560.CPY]
Virus:W32/Smitfraud.E No disinfected C:\_RESTORE\ARCHIVE\FS268.CAB[W0119241.CPY]
Virus:W32/Smitfraud.E No disinfected C:\_RESTORE\ARCHIVE\FS277.CAB[W0119918.CPY]
Virus:Trj/Clicker.AH No disinfected C:\_RESTORE\ARCHIVE\FS265.CAB[A0078352.CPY]
Virus:Trj/Clicker.AH No disinfected C:\_RESTORE\ARCHIVE\FS271.CAB[A0079441.CPY]
Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM\winupdt.bin
Adware:adware/ncase No disinfected C:\WINDOWS\SYSTEM\saieau.dat
Virus:Trj/Clicker.AH Disinfected C:\WINDOWS\TEMP\pav4161.TMP
Virus:Trj/Clicker.AH Disinfected C:\WINDOWS\TEMP\pav7150.TMP
Virus:W32/Smitfraud.E No disinfected C:\WINDOWS\TEMP\pav5035.TMP[A0079560.CPY]
Virus:W32/Smitfraud.E No disinfected C:\WINDOWS\TEMP\pav5128.TMP[W0119241.CPY]
Virus:W32/Smitfraud.E No disinfected C:\WINDOWS\TEMP\pav5193.TMP[W0119918.CPY]
Virus:Trj/Clicker.AH No disinfected C:\WINDOWS\TEMP\pav5294.TMP[A0078352.CPY]
Virus:Trj/Clicker.AH No disinfected C:\WINDOWS\TEMP\pav5303.TMP[A0079441.CPY]
Spyware:spyware/surfsidekick No disinfected C:\WINDOWS\Application Data\Sskknwrd.dll
Dialer:Dialer.NO No disinfected C:\WINDOWS\Downloaded Program Files\gdnUS2044.exe
----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:57:24 PM, on 8/16/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\PROGRAM FILES\SOPHOS\REMOTE UPDATE\CACHEMGR.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\TEMP\ICSUPP95.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\ALISNDMG.EXE
C:\WINDOWS\SYSTEM\TPWRTRAY.EXE
C:\WINDOWS\SYSTEM\TFNCKY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\UCLA STC\STCPE\STCPE.EXE
C:\PROGRAM FILES\SOPHOS SWEEP\ICMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\TOSHIBA\NETDEVSW\NETDEVSW.EXE
C:\PROGRAM FILES\MICROSOFT REFERENCE\BIBLIOROM LAROUSSE 2.0\QSHLF2F.EXE
C:\PROGRAM FILES\SPACE INTERNATIONAL\CDSPACE 5\LCDPLYER.EXE
C:\PROGRAM FILES\SOPHOS\REMOTE UPDATE\IMONITOR.EXE
C:\PROGRAM FILES\SPACE INTERNATIONAL\CDSPACE 5\CDSLICENSEMNG.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bol.ucla.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ALiSndMgr] ALiSndMg.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [STCPE] "C:\Program Files\UCLA STC\STCPE\STCPE.exe"
O4 - HKLM\..\Run: [InterCheckMonitor] "C:\PROGRAM FILES\SOPHOS SWEEP\ICMON.EXE" -minimised
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [vmtuner] gglib.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [THotkey] C:\WINDOWS\SYSTEM\THotkey.exe
O4 - HKLM\..\RunServices: [CacheMgr] C:\PROGRAM FILES\SOPHOS\REMOTE UPDATE\CACHEMGR.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [Sweep95] C:\Program Files\Sophos SWEEP\ICLOAD95.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSW\NetDevSW.exe
O4 - Startup: QuickShelf Fr.lnk = C:\Program Files\Microsoft Reference\Bibliorom Larousse 2.0\QShlf2f.exe
O4 - Startup: LCDPlayer.lnk = C:\Program Files\SPACE INTERNATIONAL\CDSpace 5\LCDPlyer.exe
O4 - Startup: STCPE.lnk = C:\Program Files\UCLA STC\STCPE\stcpe.exe
O4 - Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .php: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {7935ACFD-5007-4C61-B603-3FEA6097871C} (stcpeX.stcpeocx) - http://phi.resnet.uc...Reg2/stcpeX.CAB
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://phi.resnet.uc...E6SP1/setup.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
  • 0

#6
don77
Posted 17 August 2005 - 05:23 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Lets see if we can get this wrapped up for you,

Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”
O4 - HKLM\..\Run: [vmtuner] gglib.exe


Close out HJT please,

Next

*Please open notepad and save these instructions, Name it something you will remember
*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\SYSTEM\winupdt.bin 
C:\WINDOWS\SYSTEM\saieau.dat 
C:\WINDOWS\TEMP\pav5035.TMP
C:\WINDOWS\TEMP\pav5128.TMP
C:\WINDOWS\TEMP\pav5193.TMP
C:\WINDOWS\TEMP\pav5294.TMP
C:\WINDOWS\TEMP\pav5303.TMP
C:\WINDOWS\Application Data\Sskknwrd.dll 
C:\WINDOWS\Downloaded Program Files\gdnUS2044.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Your computer should restart on its own if not restart manually,

Run another scan with Actice scan, Post back the results from it along with a fresh HJT log please
  • 0

#7
rstr44
Posted 18 August 2005 - 01:56 AM

rstr44

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Did as instructed- logs are below. It took a few tries (and some crashes and hard reboots) to get Panda Active Scan to run its course. At one point some sort of error occured with Icsupp95.exe, followed by multiple successive errors (around 15 little error windows piling up on top of each other) with Sophos antivirus saying the checksum file has been corrupted. Then at another point (after rebooting and restarting Activescan), I kept getting warnings that my disk space was critically low - 0kb - even though it wasn't. Anyway, after rebooting again finally at some point Activescan managed to finish the scan, and then I ran HJT.


Incident Status Location

Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM\winupdt.008
Adware:adware/ncase No disinfected C:\WINDOWS\SYSTEM\saie_kyf.dat
---------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:45:35 AM, on 8/18/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\PROGRAM FILES\SOPHOS\REMOTE UPDATE\CACHEMGR.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TEMP\ICSUPP95.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\ALISNDMG.EXE
C:\WINDOWS\SYSTEM\TPWRTRAY.EXE
C:\WINDOWS\SYSTEM\TFNCKY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\UCLA STC\STCPE\STCPE.EXE
C:\PROGRAM FILES\SOPHOS SWEEP\ICMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TOSHIBA\NETDEVSW\NETDEVSW.EXE
C:\PROGRAM FILES\MICROSOFT REFERENCE\BIBLIOROM LAROUSSE 2.0\QSHLF2F.EXE
C:\PROGRAM FILES\SPACE INTERNATIONAL\CDSPACE 5\LCDPLYER.EXE
C:\PROGRAM FILES\SOPHOS\REMOTE UPDATE\IMONITOR.EXE
C:\PROGRAM FILES\SPACE INTERNATIONAL\CDSPACE 5\CDSLICENSEMNG.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bol.ucla.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ALiSndMgr] ALiSndMg.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [STCPE] "C:\Program Files\UCLA STC\STCPE\STCPE.exe"
O4 - HKLM\..\Run: [InterCheckMonitor] "C:\PROGRAM FILES\SOPHOS SWEEP\ICMON.EXE" -minimised
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [THotkey] C:\WINDOWS\SYSTEM\THotkey.exe
O4 - HKLM\..\RunServices: [CacheMgr] C:\PROGRAM FILES\SOPHOS\REMOTE UPDATE\CACHEMGR.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [Sweep95] C:\Program Files\Sophos SWEEP\ICLOAD95.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSW\NetDevSW.exe
O4 - Startup: QuickShelf Fr.lnk = C:\Program Files\Microsoft Reference\Bibliorom Larousse 2.0\QShlf2f.exe
O4 - Startup: LCDPlayer.lnk = C:\Program Files\SPACE INTERNATIONAL\CDSpace 5\LCDPlyer.exe
O4 - Startup: STCPE.lnk = C:\Program Files\UCLA STC\STCPE\stcpe.exe
O4 - Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .php: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {7935ACFD-5007-4C61-B603-3FEA6097871C} (stcpeX.stcpeocx) - http://phi.resnet.uc...Reg2/stcpeX.CAB
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://phi.resnet.uc...E6SP1/setup.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
  • 0

#8
don77
Posted 18 August 2005 - 04:45 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Well it looks better !

Using the same method again please open killbox using paste from clipboard kill the following files

C:\WINDOWS\SYSTEM\winupdt.008
C:\WINDOWS\SYSTEM\saie_kyf.dat


Give Active scan another run and lets see what it comes back with
  • 0

#9
rstr44
Posted 18 August 2005 - 10:22 PM

rstr44

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Looks like it's all clear. Thanks so much for your help!!

Panda scan says:
No viruses or other malicious software have been found!

Here's another HJT log just to be sure:

Logfile of HijackThis v1.99.1
Scan saved at 9:23:43 PM, on 8/18/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\PROGRAM FILES\SOPHOS\REMOTE UPDATE\CACHEMGR.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\ALISNDMG.EXE
C:\WINDOWS\SYSTEM\TPWRTRAY.EXE
C:\WINDOWS\SYSTEM\TFNCKY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\UCLA STC\STCPE\STCPE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\TOSHIBA\NETDEVSW\NETDEVSW.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT REFERENCE\BIBLIOROM LAROUSSE 2.0\QSHLF2F.EXE
C:\PROGRAM FILES\SPACE INTERNATIONAL\CDSPACE 5\LCDPLYER.EXE
C:\PROGRAM FILES\SOPHOS\REMOTE UPDATE\IMONITOR.EXE
C:\PROGRAM FILES\SPACE INTERNATIONAL\CDSPACE 5\CDSLICENSEMNG.EXE
C:\PROGRAM FILES\SOPHOS\REMOTE UPDATE\IUPDATE.EXE
C:\PROGRAM FILES\SOPHOS SWEEP\ICMON.EXE
C:\WINDOWS\TEMP\ICSUPP95.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bol.ucla.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ALiSndMgr] ALiSndMg.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [STCPE] "C:\Program Files\UCLA STC\STCPE\STCPE.exe"
O4 - HKLM\..\Run: [InterCheckMonitor] "C:\PROGRAM FILES\SOPHOS SWEEP\ICMON.EXE" -minimised
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [THotkey] C:\WINDOWS\SYSTEM\THotkey.exe
O4 - HKLM\..\RunServices: [CacheMgr] C:\PROGRAM FILES\SOPHOS\REMOTE UPDATE\CACHEMGR.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [Sweep95] C:\Program Files\Sophos SWEEP\ICLOAD95.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSW\NetDevSW.exe
O4 - Startup: QuickShelf Fr.lnk = C:\Program Files\Microsoft Reference\Bibliorom Larousse 2.0\QShlf2f.exe
O4 - Startup: LCDPlayer.lnk = C:\Program Files\SPACE INTERNATIONAL\CDSpace 5\LCDPlyer.exe
O4 - Startup: STCPE.lnk = C:\Program Files\UCLA STC\STCPE\stcpe.exe
O4 - Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .php: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {7935ACFD-5007-4C61-B603-3FEA6097871C} (stcpeX.stcpeocx) - http://phi.resnet.uc...Reg2/stcpeX.CAB
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://phi.resnet.uc...E6SP1/setup.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
  • 0

#10
don77
Posted 19 August 2005 - 04:08 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Your very welcome,
Check SOPHOS for updates and run a full system scan with it please,
Aside from that

Nice job your log is clean !
How is it running ?
Please use the following suggestion to help prevent reinfection


Download the following program, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
Download Spyware Blaster

Keep AD-Aware. and Spybot 1.3 handy, Check them for updates prior to running and run them weekly
Same with your Anti Virus,

For an added check run an online virus scan, you can use one of the 2 below,
TrendMicro's HouseCall
ActiveScan

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program
Download and install Cleanup
Run "Cleanup" and when it has finished, Reboot

Remeber to Check Windows for updates

Probably a good time to create a new restore point See Here for XP

See Here for ME Name it clean or something like that,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP