Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

540-filost adware [RESOLVED]


  • This topic is locked This topic is locked

#1
ro_jashan

ro_jashan

    New Member

  • Member
  • Pip
  • 8 posts
need help.... my little brother uses the computer and adult friend finder sites keeps popping up....



i downloaded the ewido security suite..... saved the report and reboot the system

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:34:32 PM, 8/16/2005
+ Report-Checksum: DC402531

+ Scan result:

C:\data -> TrojanDownloader.IstBar.ja : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@adtrak[2].txt -> Spyware.Cookie.Adtrak : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@count.xhit[1].txt -> Spyware.Cookie.Xhit : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@cs.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@cz3.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@trafic[1].txt -> Spyware.Cookie.Trafic : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\shine\Cookies\shine@z1.adserver[2].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\shine\Local Settings\Temp\Del67.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\shine\Local Settings\Temp\res13.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Program Files\SurfAccuracy\SAcc.exe -> Spyware.SurfAccuracy : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ClientAX.dll -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\nem220.dll_tobedeleted -> TrojanDownloader.Dyfuca : Cleaned with backup
C:\WINDOWS\system32\msbe.dll_tobedeleted -> Spyware.BargainBuddy : Cleaned with backup


::Report End


then i downloaded the Hijack this.... scan and save the log file.....'

Logfile of HijackThis v1.99.1
Scan saved at 3:02:17 PM, on 8/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\shine\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {F8A3C57C-2752-882C-B045-1E1585E482F8} - C:\DOCUME~1\jasmin\APPLIC~1\SOFTER~1\delete blah.exe (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C43 Series" /O5 "LPT1:" /M "Stylus C43"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [qtd9AGk] C:\WINDOWS\guwgvo.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [internetadminbaitcomp] C:\Documents and Settings\All Users.WINDOWS\Application Data\BlueGplInternetAdmin\castthunk.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: BT2Net.lnk = C:\Documents and Settings\shine\My Documents\Instant Publisher Files\BT2Net\bt2net.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DC33B1B-C354-469A-BBA6-CB87959562EE}: NameServer = 203.172.17.202 203.84.191.216
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DC33B1B-C354-469A-BBA6-CB87959562EE}: NameServer = 203.172.17.202 203.84.191.216
O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - C:\DOCUME~1\shine\MYDOCU~1\INSTAN~1\BT2Net\BT2PLU~1.DLL
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - C:\DOCUME~1\shine\MYDOCU~1\INSTAN~1\BT2Net\BT2PLU~1.DLL
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
  • 0

Advertisements


#2
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello and welcome!

Can you start with this first;

Download CleanUp
Install the program, dont run it yet, we will later.

Download & install;

Ad-aware SE Personal

When installed;

Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon, Click "connect", Click "OK", Click "Finish".)

IF you are having problems with the update, get the manual updates here;

http://download.lava...public/defs.zip

Exit Ad-aware.

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
Run Ad-aware;

1. Set up the Configurations as follows:
  • Click the Gear wheel at the top of the Ad-Aware window
  • Click General > Safety & Settings: Check (Green) all three.
  • Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
2. Click on "Proceed"
3. Click on "Scan Now"
4. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
5. Select "Search for low-risk threats"
6. Run the scanner using the Full Scan (Perform full system scan) mode.
7. When the scan has completed, select Next.
8. In the Scanning Results window, select the "Scan Summary" tab.
9. Check the box next to every "target family" for removal.
10. Click "Next", Click "OK".
11. Reboot.

Post a fresh HiJackThis log here.

- Rawe :tazz:
  • 0

#3
ro_jashan

ro_jashan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
did wat u said....... :tazz:

tnx for replying.....

Logfile of HijackThis v1.99.1
Scan saved at 6:57:39 PM, on 8/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Documents and Settings\shine\My Documents\Instant Publisher Files\BT2Net\bt2net.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\shine\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webalta.c...1556a51e0768d9e
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {F8A3C57C-2752-882C-B045-1E1585E482F8} - C:\DOCUME~1\jasmin\APPLIC~1\SOFTER~1\delete blah.exe (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C43 Series" /O5 "LPT1:" /M "Stylus C43"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [qtd9AGk] C:\WINDOWS\guwgvo.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [internetadminbaitcomp] C:\Documents and Settings\All Users.WINDOWS\Application Data\BlueGplInternetAdmin\castthunk.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: BT2Net.lnk = C:\Documents and Settings\shine\My Documents\Instant Publisher Files\BT2Net\bt2net.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DC33B1B-C354-469A-BBA6-CB87959562EE}: NameServer = 203.172.17.202 203.84.191.216
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DC33B1B-C354-469A-BBA6-CB87959562EE}: NameServer = 203.172.17.202 203.84.191.216
O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - C:\DOCUME~1\shine\MYDOCU~1\INSTAN~1\BT2Net\BT2PLU~1.DLL
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - C:\DOCUME~1\shine\MYDOCU~1\INSTAN~1\BT2Net\BT2PLU~1.DLL
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
  • 0

#4
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok, can you run this online scan and post it's results here;
Panda Activescan

- Rawe :tazz:
  • 0

#5
ro_jashan

ro_jashan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
i scanned the local disk only.....

here is the result.....

ncident Status Location

Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users.WINDOWS\Application Data\BlueGplInternetAdmin\castthunk.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users.WINDOWS\Application Data\BlueGplInternetAdmin\globalsend.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users.WINDOWS\Application Data\BlueGplInternetAdmin\IdolSpam.exe
Adware:Adware/Lop No disinfected C:\Program Files\NetPumper\ZM\minime.exe
Adware:Adware/SurfAccuracy No disinfected C:\Program Files\SurfAccuracy\SAccU.exe
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\eied.inf
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
Dialer:Dialer.ABR No disinfected C:\WINDOWS\Downloaded Program Files\start7.inf
Dialer:Dialer.CHO No disinfected C:\WINDOWS\internt.exe
Dialer:Dialer.Gen No disinfected C:\WINDOWS\switchagreement.txt
Dialer:dialer.xd No disinfected C:\WINDOWS\system32\vbsys2.dll
  • 0

#6
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Go to -> Start -> Control Panel -> Add/Remove programs and uninstall the following if present;

SurfAccuracy

Exit Control Panel and delete the following folders;

C:\Program Files\SurfAccuracy\

Then delete these files;

C:\Documents and Settings\All Users.WINDOWS\Application Data\BlueGplInternetAdmin\castthunk.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\BlueGplInternetAdmin\globalsend.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\BlueGplInternetAdmin\IdolSpam.exe
C:\Program Files\NetPumper\
C:\WINDOWS\Downloaded Program Files\eied.inf
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
C:\WINDOWS\Downloaded Program Files\start7.inf
C:\WINDOWS\internt.exe
C:\WINDOWS\switchagreement.txt
C:\WINDOWS\system32\vbsys2.dll
C:\Program Files\NetPumper\ZM\minime.exe


Then run CleanUp! again and reboot when prompted.

Post a new HijackThis log. Can you also tell me if you know what this is?

NetPumper

- Rawe :tazz:
  • 0

#7
ro_jashan

ro_jashan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
hello..... sorry if I'm late in replying........ mom has to use the pc.....

yeah, there is this mp3 file i want to download but it requires a netpumper software..... its kind of like the DAP- the download accelerator something.....
why.... is it the one causing this pop-ups?


by the way i wasn't able to delete
C:\WINDOWS\system32\vbsys2.dll bec. it said that it may be used by other application or write protected....

i wasn't able to delete these three files either bec. it's not in the said folder but the rest are deleted okay......

C:\WINDOWS\Downloaded Program Files\eied.inf
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
C:\WINDOWS\Downloaded Program Files\start7.inf


here is the new hijackthis log


Logfile of HijackThis v1.99.1
Scan saved at 8:06:56 AM, on 8/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Documents and Settings\shine\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {F8A3C57C-2752-882C-B045-1E1585E482F8} - C:\DOCUME~1\jasmin\APPLIC~1\SOFTER~1\delete blah.exe (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C43 Series" /O5 "LPT1:" /M "Stylus C43"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [qtd9AGk] C:\WINDOWS\guwgvo.exe
O4 - HKLM\..\Run: [internetadminbaitcomp] C:\Documents and Settings\All Users.WINDOWS\Application Data\BlueGplInternetAdmin\castthunk.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: BT2Net.lnk = C:\Documents and Settings\shine\My Documents\Instant Publisher Files\BT2Net\bt2net.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DC33B1B-C354-469A-BBA6-CB87959562EE}: NameServer = 203.172.17.202 203.84.191.216
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DC33B1B-C354-469A-BBA6-CB87959562EE}: NameServer = 203.172.17.202 203.84.191.216
O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - C:\DOCUME~1\shine\MYDOCU~1\INSTAN~1\BT2Net\BT2PLU~1.DLL
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - C:\DOCUME~1\shine\MYDOCU~1\INSTAN~1\BT2Net\BT2PLU~1.DLL
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
  • 0

#8
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.
  • 0

#9
ro_jashan

ro_jashan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
did what you said..... :tazz:


Started Scanning
Internet Cookies
Found 'casalemedia.com' in 'Internet Explorer Cache'
Found 'insightexpressai.com' in 'Internet Explorer Cache'
Found 'adknowledge.com' in 'Internet Explorer Cache'
Found 'ad.yieldmanager.com' in 'Internet Explorer Cache'
Found 'dist.belnk.com' in 'Internet Explorer Cache'
Found 'trafficmp.com' in 'Internet Explorer Cache'
Found 'hypertracker.com' in 'Internet Explorer Cache'
Found 'com.com' in 'Internet Explorer Cache'
Found 'maxserving.com' in 'Internet Explorer Cache'
Found 'zedo.com' in 'Internet Explorer Cache'
Found 'stats1.clicktracks.com' in 'Internet Explorer Cache'
Found 'z1.adserver.com' in 'Internet Explorer Cache'
Found 'belnk.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '' in 'SOFTWARE\Classes\CLSID\{54645654-2225-4455-44A1-9F4543D34545}'
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Finished Cleaning
  • 0

#10
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Then post a fresh HiJackThis log :tazz:
  • 0

Advertisements


#11
ro_jashan

ro_jashan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Logfile of HijackThis v1.99.1
Scan saved at 2:50:50 PM, on 8/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Documents and Settings\shine\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {F8A3C57C-2752-882C-B045-1E1585E482F8} - C:\DOCUME~1\jasmin\APPLIC~1\SOFTER~1\delete blah.exe (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C43 Series" /O5 "LPT1:" /M "Stylus C43"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [qtd9AGk] C:\WINDOWS\guwgvo.exe
O4 - HKLM\..\Run: [internetadminbaitcomp] C:\Documents and Settings\All Users.WINDOWS\Application Data\BlueGplInternetAdmin\Defy open.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DC33B1B-C354-469A-BBA6-CB87959562EE}: NameServer = 203.172.17.202 203.84.191.216
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DC33B1B-C354-469A-BBA6-CB87959562EE}: NameServer = 203.172.17.202 203.84.191.216
O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - C:\DOCUME~1\shine\MYDOCU~1\INSTAN~1\BT2Net\BT2PLU~1.DLL (file missing)
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - C:\DOCUME~1\shine\MYDOCU~1\INSTAN~1\BT2Net\BT2PLU~1.DLL
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
  • 0

#12
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Run a scan with HiJackThis and check the following objects for removal:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {F8A3C57C-2752-882C-B045-1E1585E482F8} - C:\DOCUME~1\jasmin\APPLIC~1\SOFTER~1\delete blah.exe (file missing)
O4 - HKLM\..\Run: [qtd9AGk] C:\WINDOWS\guwgvo.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c5.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - C:\DOCUME~1\shine\MYDOCU~1\INSTAN~1\BT2Net\BT2PLU~1.DLL (file missing)
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - C:\DOCUME~1\shine\MYDOCU~1\INSTAN~1\BT2Net\BT2PLU~1.DLL
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)


Close any other open windows and/or open browsers except for HiJackThis and hit FIX CHECKED.

Exit HiJackThis.

Reboot. Delete the following files & folder if present:

C:\DOCUME~1\shine\MYDOCU~1\INSTAN~1\BT2Net\
C:\DOCUME~1\jasmin\APPLIC~1\SOFTER~1\delete blah.exe
O4 - HKLM\..\Run: [qtd9AGk] C:\WINDOWS\guwgvo.exe


Empty recycle bin.

Post a fresh HiJackThis log.

- Rawe :tazz:
  • 0

#13
ro_jashan

ro_jashan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
hi.....

here is my new hijackthis log......

Logfile of HijackThis v1.99.1
Scan saved at 6:54:47 PM, on 8/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\shine\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C43 Series" /O5 "LPT1:" /M "Stylus C43"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [internetadminbaitcomp] C:\Documents and Settings\All Users.WINDOWS\Application Data\BlueGplInternetAdmin\Defy open.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DC33B1B-C354-469A-BBA6-CB87959562EE}: NameServer = 203.172.17.202 203.84.191.216
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DC33B1B-C354-469A-BBA6-CB87959562EE}: NameServer = 203.172.17.202 203.84.191.216
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
  • 0

#14
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Do you have any problems at the moment? :tazz:
  • 0

#15
ro_jashan

ro_jashan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
none..... :tazz:

by the way may i ask what software or websites that was causing all that so that we can avoid it next time......



thank you so much.....
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP