Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Look2ME [CLOSED]


  • This topic is locked This topic is locked

#1
scd666

scd666

    Member

  • Member
  • PipPip
  • 12 posts
i keep having winfixer popup and loads of other popups but when i scan with ewido and some others it says that it finds some files that are Look2Me and i cant get rid of them please help me so i can get my computer running the way it used to. i have no idea what to do
  • 0

Advertisements


#2
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello and welcome!

We'll get this sorted for you.. Can you please start from here:
http://www.geekstogo...-Log-t2852.html

IF you are still having problems after the preparation steps, follow the Step 5 and post your HiJackThis log to THIS thread by using AddReply.

Don't start a new topic for replies.

- Rawe :tazz:
  • 0

#3
scd666

scd666

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
well i followed steps 1 through 4 and there are no more popups, ewido finds somethings but it fixed them. but i do have another problem.

when i start my computer it shows my desktop and then there is an error message that pops up, it says RUNDLL, error, could not load specified module. what can i do to correct that.
  • 0

#4
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Can you follow the Step 5 to post your current HiJackThis log to this thread.. And I'll take a look at it.

- Rawe :tazz:
  • 0

#5
scd666

scd666

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
hey i did what you said and here is the log
  • 0

#6
scd666

scd666

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
dunno if the attachment came over so ill just paste it in here


Logfile of HijackThis v1.99.1
Scan saved at 6:33:03 PM, on 8/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\Fast.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Logitech\MouseWare\System\Em_exec.exe
C:\Documents and Settings\Shane\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.sho...d=11914554&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...d=11914554&id=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.sho...d=11914554&id=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...d=11914554&id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.sho...d=11914554&id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.sho...d=11914554&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINDOWS\ttext.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {76F7686F-A482-8474-D71E-AF1853F7909E} - C:\WINDOWS\system32\bawslju.dll
O2 - BHO: SDWin32 Class - {E8E41329-CB4F-49F4-BBAE-2957C28CF901} - C:\WINDOWS\system32\qvnkw.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE ,DllRun
O4 - HKLM\..\Run: [qvnkwc] C:\WINDOWS\system32\qvnkwc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [aB03RRGFV] rtuur32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c5.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108150780168
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0

#7
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello!

Ok, your system is definetely not clean.. Let's see what Ewido says.

Can you first make sure it's in the latest definitions.

Next, download CleanUp
Install the program, dont run it yet, we will later.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Now open Ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • Clean anything it finds.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido.

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
Reboot into normal mode and post the Ewido log here along with a fresh HiJackThis log.

- Rawe :tazz:
  • 0

#8
scd666

scd666

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
well i did what you said and here is the log from ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:13:41 PM, 8/23/2005
+ Report-Checksum: 4CC21606

+ Scan result:

HKU\S-1-5-21-1060284298-1580818891-1202660629-1003\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1060284298-1580818891-1202660629-1003\Software\intexp\Config -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1060284298-1580818891-1202660629-1003\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Cleaned with backup
C:\Documents and Settings\Shane\Cookies\shane@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Shane\Cookies\shane@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Shane\Cookies\shane@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Shane\Cookies\shane@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Shane\Cookies\shane@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Shane\Cookies\shane@cs.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Shane\Cookies\shane@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Shane\Cookies\shane@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Shane\Cookies\shane@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Shane\Cookies\shane@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Shane\Cookies\shane@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup


::Report End



and here is the new highjack log


Logfile of HijackThis v1.99.1
Scan saved at 11:06:35 PM, on 8/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\Fast.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Documents and Settings\Shane\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.sho...h.cgi?uid=&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...h.cgi?uid=&id=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.sho...h.cgi?uid=&id=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.sho...h.cgi?uid=&id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.sho...d=11914554&id=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.sho...d=11914554&id=0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINDOWS\ttext.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {76F7686F-A482-8474-D71E-AF1853F7909E} - C:\WINDOWS\system32\bawslju.dll
O2 - BHO: SDWin32 Class - {E8E41329-CB4F-49F4-BBAE-2957C28CF901} - C:\WINDOWS\system32\qvnkw.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE ,DllRun
O4 - HKLM\..\Run: [qvnkwc] C:\WINDOWS\system32\qvnkwc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [aB03RRGFV] rtuur32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c5.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108150780168
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe



im also having the problem that everytime i start up my computer i have to reconfigure my mouse

let me know what the next step is

thanx
  • 0

#9
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Post:
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and paste the List from the notebook onto your post
That along with this:

Please do an online scan with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Standard
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start to scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
- Rawe :tazz:
  • 0

#10
scd666

scd666

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
here are the scans you wanted me to run


highjackthis

Active Disk
Ad-Aware SE Personal
Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
Adobe Acrobat 7.0.2 and Reader 7.0.2 Update
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop 7.0
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0
AOL Instant Messenger
CleanUp!
ewido security suite
Ezonics Greeting Cam Deluxe
EzPhone Cam
EZVideo Chat 1.00
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
hp deskjet 845c series (Remove only)
HP Memories Disc
HP Photo and Imaging 2.0 - Photosmart Cameras
iMesh 5
InCD
InCD EasyWrite Reader
IomegaWare 4.0.2
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
LiveSuite
Logitech MouseWare 9.79.1
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office Professional Edition 2003
mIRC
mobile PhoneTools
MSN Music Assistant
Nero OEM
NVIDIA Windows 2000/XP Display Drivers
PokerStars
Powertoys For Windows XP
QuickTime
Return to Castle Wolfenstein
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
Sophos Anti-Virus version 3.92.0
Sophos Remote Update
Sound Blaster Live! Web 2K/XP
Spelling Dictionaries For Adobe Reader Package
Spybot - Search & Destroy 1.4
Trillian
Ulead Photo Explorer 6.0
Ulead Photo Express 3.0 SE
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinMX
Yahoo! Messenger




-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, August 24, 2005 21:48:36
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 25/08/2005
Kaspersky Anti-Virus database records: 136852
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan Statistics:
Total number of scanned objects: 41812
Number of viruses found: 11
Number of infected objects: 20
Number of suspicious objects: 0
Duration of the scan process: 11883 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Shane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-754a5f7b.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Documents and Settings\Shane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-754a5f7b.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\Shane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-754a5f7b.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Documents and Settings\Shane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-754a5f7b.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\Shane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-754a5f7b.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\Shane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6604b080-3f2858eb.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Documents and Settings\Shane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6604b080-3f2858eb.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\Shane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6604b080-3f2858eb.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Documents and Settings\Shane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6604b080-3f2858eb.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\Shane\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-6604b080-3f2858eb.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Aprps\CxtPls.dll Infected: Trojan-Downloader.Win32.Apropo.ag
C:\Program Files\Aprps\CxtPls.exe Infected: Trojan-Downloader.Win32.Apropo.ag
C:\System Volume Information\_restore{7576894A-68E2-4E47-BE7D-0C2AA0C38E83}\RP2\A0000014.exe Infected: Trojan-Downloader.Win32.VB.if
C:\System Volume Information\_restore{7576894A-68E2-4E47-BE7D-0C2AA0C38E83}\RP2\A0000017.dll Infected: Trojan-Clicker.Win32.Small.ez
C:\System Volume Information\_restore{7576894A-68E2-4E47-BE7D-0C2AA0C38E83}\RP2\A0000018.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{7576894A-68E2-4E47-BE7D-0C2AA0C38E83}\RP2\A0000020.cpl Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{7576894A-68E2-4E47-BE7D-0C2AA0C38E83}\RP2\A0000022.dll Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{7576894A-68E2-4E47-BE7D-0C2AA0C38E83}\RP2\A0000024.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{7576894A-68E2-4E47-BE7D-0C2AA0C38E83}\RP2\A0000025.exe Infected: Trojan-Dropper.Win32.Agent.mm
C:\System Volume Information\_restore{7576894A-68E2-4E47-BE7D-0C2AA0C38E83}\RP2\A0002047.exe Infected: Trojan-Dropper.Win32.Agent.lu

Scan process completed.
  • 0

Advertisements


#11
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok.

Uninstall using Add/Remove programs in the Control Panel.. (Unless you use this software):

PokerStars


After that, delete this folder;

C:\Program Files\Aprps\

Empty recycle bin.

1. Click Start > Control Panel.

2. Double-click the Java icon (coffee cup) in the control panel. It will say "Java Plug-in" under the icon - please find the update button or tab in that Java control panel. Update your Java, and reboot.

After the reboot, go back into the Control Panel and double-click the Java icon.

3. Under Temporary Internet Files, click the Delete Files button.

There are three options on this window to clear the cache - leave ALL 3 checked.
1. Downloaded Applets
2. Downloaded Applications
3. Other Files

4. Click OK on Delete Temporary Files window.
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

5. Click OK to leave the Java Control Panel.

Disable System Restore;

1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".


Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directoy as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
    Disable SpySweeper Shields
    • Click Shields on the left.
    • Click Internet Explorer and uncheck all items.
    • Click Windows System and uncheck all items.
    • Click Startup Programs and uncheck all items.
  • Once the definitions are installed and shields disabled, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Enable System Restore;

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".


Set a new restore point and post the SpySweeper results. :tazz:
  • 0

#12
scd666

scd666

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
did what you said and here is what you asked for


********
6:19 PM: |··· Start of Session, Thursday, August 25, 2005 ···|
6:19 PM: Spy Sweeper started
6:19 PM: Sweep initiated using definitions version 522
6:19 PM: Starting Memory Sweep
6:22 PM: Found Adware: shopnavupdater
6:22 PM: Detected running threat: C:\WINDOWS\ttext.dll (ID = 75991)
6:23 PM: Memory Sweep Complete, Elapsed Time: 00:04:19
6:23 PM: Starting Registry Sweep
6:23 PM: Found Adware: apropos
6:23 PM: HKU\S-1-5-21-1060284298-1580818891-1202660629-1003\software\aprps\ (7 subtraces) (ID = 103740)
6:23 PM: HKLM\software\aprps\ (8 subtraces) (ID = 103741)
6:23 PM: Found Adware: bookedspace
6:23 PM: HKLM\software\configuration manager\cfgmgr52\ (6 subtraces) (ID = 104873)
6:23 PM: HKLM\software\microsoft\windows\currentversion\run\ || cfgmgr52 (ID = 104883)
6:23 PM: Found Adware: delfin
6:23 PM: HKLM\software\vidctrl\ (3 subtraces) (ID = 124897)
6:23 PM: Found Adware: ieplugin
6:23 PM: HKU\S-1-5-21-1060284298-1580818891-1202660629-1003\software\intexp\ (4 subtraces) (ID = 128173)
6:23 PM: HKLM\software\microsoft\internet explorer\toolbar\ || {2cde1a7d-a478-4291-bf31-e1b4c16f92eb} (ID = 128178)
6:23 PM: Found Adware: drsnsrch.com hijack
6:23 PM: HKU\S-1-5-21-1060284298-1580818891-1202660629-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
6:23 PM: HKU\S-1-5-18\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
6:23 PM: Found Trojan Horse: trojan-downloader-pacisoft
6:23 PM: HKU\S-1-5-21-1060284298-1580818891-1202660629-1003\software\psof1\ (ID = 136530)
6:23 PM: Found Adware: redzip toolbar
6:23 PM: HKU\S-1-5-21-1060284298-1580818891-1202660629-1003\software\microsoft\windows\currentversion\explorer\ || insid (ID = 139328)
6:23 PM: Found Adware: roings search enhancment
6:23 PM: HKCR\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\ (23 subtraces) (ID = 140032)
6:23 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\inprocserver32\ (2 subtraces) (ID = 140081)
6:23 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\miscstatus\ (3 subtraces) (ID = 140082)
6:23 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\progid\ (1 subtraces) (ID = 140083)
6:23 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\toolboxbitmap32\ (1 subtraces) (ID = 140084)
6:23 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\typelib\ (1 subtraces) (ID = 140085)
6:23 PM: HKLM\software\classes\clsid\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9}\version\ (1 subtraces) (ID = 140086)
6:23 PM: Found Adware: shopnav.com hijacker
6:23 PM: HKU\S-1-5-21-1060284298-1580818891-1202660629-1003\software\microsoft\internet explorer\main\ || search bar (ID = 142264)
6:23 PM: HKLM\software\microsoft\internet explorer\main\ || search bar (ID = 142265)
6:23 PM: HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 142266)
6:23 PM: HKLM\software\microsoft\internet explorer\search\ || customizesearch (ID = 142267)
6:23 PM: HKU\S-1-5-21-1060284298-1580818891-1202660629-1003\software\microsoft\internet explorer\searchurl\ (1 subtraces) (ID = 142268)
6:23 PM: HKU\S-1-5-21-1060284298-1580818891-1202660629-1003\software\microsoft\internet explorer\main\ || search page (ID = 142269)
6:23 PM: HKLM\software\microsoft\internet explorer\main\ || search page (ID = 142270)
6:24 PM: Found Adware: surfsidekick
6:24 PM: HKU\S-1-5-21-1060284298-1580818891-1202660629-1003\software\surfsidekick3\ (3 subtraces) (ID = 143412)
6:24 PM: HKLM\software\surfsidekick3\ (2 subtraces) (ID = 143413)
6:24 PM: Found Adware: winad
6:24 PM: HKCR\prevadx.installer\ (3 subtraces) (ID = 147161)
6:24 PM: HKLM\software\classes\prevadx.installer\ (3 subtraces) (ID = 147175)
6:24 PM: HKLM\software\microsoft\code store database\distribution units\{15ad6789-cdb4-47e1-a9da-992ee8e6bad6}\ (10 subtraces) (ID = 147185)
6:24 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll\ (2 subtraces) (ID = 147191)
6:24 PM: Found Adware: icannnews
6:24 PM: HKCR\activexctrl\ (3 subtraces) (ID = 169450)
6:24 PM: HKCR\clsid\{3bfadce2-1141-4b81-8878-49af625f0fdc}\ (3 subtraces) (ID = 169451)
6:24 PM: HKCR\clsid\{4208fb4d-4e53-4f5a-bf7a-3e047ddb5281}\ (21 subtraces) (ID = 169452)
6:24 PM: HKCR\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169454)
6:24 PM: HKCR\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (8 subtraces) (ID = 169455)
6:24 PM: HKCR\typelib\{ee5ac3d6-6f43-4047-af0a-d66fc2cf8f42}\ (9 subtraces) (ID = 169456)
6:24 PM: HKLM\software\classes\activexctrl\ (3 subtraces) (ID = 169457)
6:24 PM: HKLM\software\classes\clsid\{3bfadce2-1141-4b81-8878-49af625f0fdc}\ (3 subtraces) (ID = 169458)
6:24 PM: HKLM\software\classes\clsid\{4208fb4d-4e53-4f5a-bf7a-3e047ddb5281}\ (21 subtraces) (ID = 169459)
6:24 PM: HKLM\software\classes\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169461)
6:24 PM: HKLM\software\classes\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (8 subtraces) (ID = 169462)
6:24 PM: HKLM\software\classes\typelib\{ee5ac3d6-6f43-4047-af0a-d66fc2cf8f42}\ (9 subtraces) (ID = 169463)
6:24 PM: HKCR\clsid\{00027925-0017-4faf-9539-90e4ac0b9ec5}\ (11 subtraces) (ID = 359486)
6:24 PM: HKCR\clsid\{5e0910c6-9e45-481c-a2ec-0ec29c96ebeb}\ (11 subtraces) (ID = 359487)
6:24 PM: HKCR\clsid\{8f7d96aa-489a-4194-ab34-21ef42507932}\ (13 subtraces) (ID = 359488)
6:24 PM: HKCR\clsid\{79406f24-8e95-4af8-9fef-2ea2b504e707}\ (13 subtraces) (ID = 359489)
6:24 PM: HKCR\clsid\{b424e2aa-4466-41ca-8194-5a83995a9b15}\ (11 subtraces) (ID = 359490)
6:24 PM: HKCR\snb.band\ (5 subtraces) (ID = 359491)
6:24 PM: HKCR\sntb.bottomframe\ (5 subtraces) (ID = 359492)
6:24 PM: HKCR\sntb.leftframe\ (5 subtraces) (ID = 359493)
6:24 PM: HKCR\sntb.popupbrowser\ (5 subtraces) (ID = 359494)
6:24 PM: HKCR\sntb.popupwindow\ (5 subtraces) (ID = 359495)
6:24 PM: HKLM\software\classes\clsid\{00027925-0017-4faf-9539-90e4ac0b9ec5}\ (11 subtraces) (ID = 359496)
6:24 PM: HKLM\software\classes\clsid\{5e0910c6-9e45-481c-a2ec-0ec29c96ebeb}\ (11 subtraces) (ID = 359497)
6:24 PM: HKLM\software\classes\clsid\{8f7d96aa-489a-4194-ab34-21ef42507932}\ (13 subtraces) (ID = 359498)
6:24 PM: HKLM\software\classes\clsid\{79406f24-8e95-4af8-9fef-2ea2b504e707}\ (13 subtraces) (ID = 359499)
6:24 PM: HKLM\software\classes\clsid\{b424e2aa-4466-41ca-8194-5a83995a9b15}\ (11 subtraces) (ID = 359500)
6:24 PM: HKLM\software\classes\snb.band\ (5 subtraces) (ID = 359501)
6:24 PM: HKLM\software\classes\sntb.bottomframe\ (5 subtraces) (ID = 359502)
6:24 PM: HKLM\software\classes\sntb.leftframe\ (5 subtraces) (ID = 359503)
6:24 PM: HKLM\software\classes\sntb.popupbrowser.1\ (3 subtraces) (ID = 359504)
6:24 PM: HKLM\software\classes\sntb.popupbrowser\ (5 subtraces) (ID = 359505)
6:24 PM: HKLM\software\classes\sntb.popupwindow.1\ (3 subtraces) (ID = 359506)
6:24 PM: HKLM\software\classes\sntb.popupwindow\ (5 subtraces) (ID = 359507)
6:24 PM: HKLM\software\classes\typelib\{46bd3f46-6e46-43d2-a69d-fd8c05044475}\ (9 subtraces) (ID = 359508)
6:24 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{00027925-0017-4faf-9539-90e4ac0b9ec5}\ (ID = 359509)
6:24 PM: HKCR\typelib\{46bd3f46-6e46-43d2-a69d-fd8c05044475}\ (9 subtraces) (ID = 359513)
6:24 PM: Registry Sweep Complete, Elapsed Time:00:00:19
6:24 PM: Starting Cookie Sweep
6:24 PM: Found Spy Cookie: adknowledge cookie
6:24 PM: shane@adknowledge[1].txt (ID = 2072)
6:24 PM: Found Spy Cookie: adrevolver cookie
6:24 PM: shane@adrevolver[1].txt (ID = 2088)
6:24 PM: shane@adrevolver[2].txt (ID = 2088)
6:24 PM: Found Spy Cookie: addynamix cookie
6:24 PM: shane@ads.addynamix[1].txt (ID = 2062)
6:24 PM: Found Spy Cookie: pointroll cookie
6:24 PM: shane@ads.pointroll[1].txt (ID = 3148)
6:24 PM: Found Spy Cookie: falkag cookie
6:24 PM: shane@as-us.falkag[2].txt (ID = 2650)
6:24 PM: Found Spy Cookie: atwola cookie
6:24 PM: shane@atwola[1].txt (ID = 2255)
6:24 PM: Found Spy Cookie: belnk cookie
6:24 PM: shane@belnk[1].txt (ID = 2292)
6:24 PM: Found Spy Cookie: casalemedia cookie
6:24 PM: shane@casalemedia[2].txt (ID = 2354)
6:24 PM: shane@dist.belnk[2].txt (ID = 2293)
6:24 PM: Found Spy Cookie: adserver cookie
6:24 PM: shane@z1.adserver[1].txt (ID = 2142)
6:24 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
6:24 PM: Starting File Sweep
6:24 PM: c:\windows\system32\vidctrl (ID = -2147481117)
6:24 PM: c:\documents and settings\all users\application data\vidctrl (1 subtraces) (ID = -2147477475)
6:24 PM: sskknwrd.dll (ID = 77733)
6:25 PM: Found Adware: upspiral toolbar
6:25 PM: unist2.exe (ID = 82040)
6:27 PM: m67m.inf (ID = 74028)
6:28 PM: sskcwrd.dll (ID = 77712)
6:28 PM: ttext.dll (ID = 75991)
6:28 PM: Found Adware: adlogix
6:28 PM: qvnkwb.xml (ID = 49280)
6:28 PM: File Sweep Complete, Elapsed Time: 00:03:59
6:28 PM: Full Sweep has completed. Elapsed time 00:08:42
6:28 PM: Traces Found: 469
6:28 PM: Removal process initiated
6:28 PM: Quarantining All Traces: shopnavupdater
6:28 PM: Quarantining All Traces: apropos
6:28 PM: Quarantining All Traces: bookedspace
6:28 PM: Quarantining All Traces: delfin
6:28 PM: Quarantining All Traces: ieplugin
6:28 PM: Quarantining All Traces: drsnsrch.com hijack
6:28 PM: Quarantining All Traces: trojan-downloader-pacisoft
6:28 PM: Quarantining All Traces: redzip toolbar
6:28 PM: Quarantining All Traces: roings search enhancment
6:28 PM: Quarantining All Traces: shopnav.com hijacker
6:28 PM: Quarantining All Traces: surfsidekick
6:29 PM: Quarantining All Traces: winad
6:29 PM: Quarantining All Traces: icannnews
6:29 PM: Quarantining All Traces: adknowledge cookie
6:29 PM: Quarantining All Traces: adrevolver cookie
6:29 PM: Quarantining All Traces: addynamix cookie
6:29 PM: Quarantining All Traces: pointroll cookie
6:29 PM: Quarantining All Traces: falkag cookie
6:29 PM: Quarantining All Traces: atwola cookie
6:29 PM: Quarantining All Traces: belnk cookie
6:29 PM: Quarantining All Traces: casalemedia cookie
6:29 PM: Quarantining All Traces: adserver cookie
6:29 PM: Quarantining All Traces: upspiral toolbar
6:29 PM: Quarantining All Traces: adlogix
6:29 PM: Removal process completed. Elapsed time 00:00:41
********
6:17 PM: |··· Start of Session, Thursday, August 25, 2005 ···|
6:17 PM: Spy Sweeper started
6:19 PM: |··· End of Session, Thursday, August 25, 2005 ···|
  • 0

#13
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Can you run this online scan and post it's results here along with a fresh HiJackThis log:

Panda Activescan :tazz:
  • 0

#14
scd666

scd666

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
i did the panda scan thing but it never gave me anything to save to show you but here is the highjackthislog

Logfile of HijackThis v1.99.1
Scan saved at 12:12:42 AM, on 8/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\Fast.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Logitech\MouseWare\System\Em_exec.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\Shane\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {76F7686F-A482-8474-D71E-AF1853F7909E} - C:\WINDOWS\system32\bawslju.dll
O2 - BHO: SDWin32 Class - {E8E41329-CB4F-49F4-BBAE-2957C28CF901} - C:\WINDOWS\system32\qvnkw.dll (file missing)
O4 - HKLM\..\Run: [qvnkwc] C:\WINDOWS\system32\qvnkwc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [aB03RRGFV] rtuur32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1108150780168
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0

#15
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Run a scan with HijackThis and check the following entries for removal:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {76F7686F-A482-8474-D71E-AF1853F7909E} - C:\WINDOWS\system32\bawslju.dll
O2 - BHO: SDWin32 Class - {E8E41329-CB4F-49F4-BBAE-2957C28CF901} - C:\WINDOWS\system32\qvnkw.dll (file missing)
O4 - HKLM\..\Run: [qvnkwc] C:\WINDOWS\system32\qvnkwc.exe
O4 - HKCU\..\Run: [aB03RRGFV] rtuur32.exe


Then close ALL open windows except for HiJackThis and hit FIX CHECKED.

Now..

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\bawslju.dll
C:\WINDOWS\system32\qvnkw.dll
C:\WINDOWS\system32\qvnkwc.exe
C:\WINDOWS\rtuur32.exe


6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Post a fresh HiJackThis log.

- Rawe :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP