Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HELP with a better internet [CLOSED]

Started by biggddd , Aug 20 2005 03:13 AM

  • This topic is locked This topic is locked

#1
biggddd
Posted 20 August 2005 - 03:13 AM

biggddd

    Member

  • Member
  • PipPip
  • 20 posts
here is my son's hijack this log. thanks for all your help



Logfile of HijackThis v1.99.1
Scan saved at 5:50:40 AM, on 8/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
F:\WINDOWS\System32\CTSvcCDA.exe
F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
F:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
F:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
F:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
F:\WINDOWS\Explorer.exe
F:\WINDOWS\System32\RunDll32.exe
F:\Program Files\Creative\ShareDLL\CtNotify.exe
F:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE
F:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
F:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\InterAct\Gaming Devices\JoyAct.exe
F:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
F:\Program Files\Creative\ShareDLL\MediaDet.Exe
F:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
F:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
F:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
F:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
F:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguiexe.exe
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\mspaint.exe
F:\Program Files\TrojanHunter 4.2\TrojanHunter.exe
F:\Documents and Settings\jonathan\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\DOCUME~1\jonathan\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = g
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rockstarg....com/sanandreas
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = w
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = v
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = b
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = g
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: Shell=Explorer.exe F:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3EB3423F-A020-40A8-9259-12B9CAD3ABD0} - F:\WINDOWS\System32\ggmh.dll (file missing)
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - F:\WINDOWS\AuroraHandler.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - F:\WINDOWS\System32\richedtr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [FSA] F:\WINDOWS\FSA.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Disc Detector] F:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CreativeMixer] F:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [LWBMOUSE] F:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [F-Secure Manager] "F:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "F:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "F:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "F:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [richup] F:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [Dinst] F:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gedatg] F:\WINDOWS\System32\hrkvbey.exe r
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: InterAct Profile Activator.lnk = F:\Program Files\InterAct\Gaming Devices\JoyAct.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySweeper.exe
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Show website &list - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - Unknown owner - F:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - F:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - F:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - F:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - F:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
  • 0

Advertisements

#2
Excal
Posted 20 August 2005 - 03:27 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi biggddd and welcome to GeeksToGo! My name is Excal and I will be helping you.


We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. Click here: http://www.microsoft...p1/default.mspx Apply the update, reboot, and post a fresh Hijack This log.
(DO NOT INSTALL SP2)


thanks,

:tazz:

Excal
  • 0

#3
biggddd
Posted 21 August 2005 - 07:50 AM

biggddd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
hi excal

ok - i'll do it & repost the log

thanks
~Darlene
  • 0

#4
Excal
Posted 21 August 2005 - 10:05 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Sure thing Darlene!

I will be waiting :)


Thanks,

:tazz:

Excal
  • 0

#5
biggddd
Posted 21 August 2005 - 08:42 PM

biggddd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi Excal:

OK, SP1a has been installed and we have rebooted. Here is the latest Hijack This log:


Logfile of HijackThis v1.99.1
Scan saved at 7:33:09 PM, on 8/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
F:\WINDOWS\System32\CTSvcCDA.exe
F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
F:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
F:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
F:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
F:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
F:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
F:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
F:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
F:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
F:\WINDOWS\Explorer.exe
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\System32\wbem\wmiprvse.exe
F:\WINDOWS\System32\msiexec.exe
F:\WINDOWS\System32\wuauclt.exe
F:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
F:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
F:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
F:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguiexe.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\InterAct\Gaming Devices\JoyAct.exe
F:\Documents and Settings\jonathan\Desktop\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\DOCUME~1\jonathan\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = g
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rockstarg....com/sanandreas
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = w
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = v
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = b
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = g
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: Shell=Explorer.exe F:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3EB3423F-A020-40A8-9259-12B9CAD3ABD0} - F:\WINDOWS\System32\ggmh.dll (file missing)
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - F:\WINDOWS\AuroraHandler.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - F:\WINDOWS\System32\richedtr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [FSA] F:\WINDOWS\FSA.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Disc Detector] F:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [LWBMOUSE] F:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [F-Secure Manager] "F:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "F:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "F:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "F:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [richup] F:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [Dinst] F:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ddbypg] F:\WINDOWS\System32\hswpoj.exe r
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - Startup: InterAct Profile Activator.lnk = F:\Program Files\InterAct\Gaming Devices\JoyAct.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySweeper.exe
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Show website &list - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - Unknown owner - F:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - F:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - F:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - F:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - F:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - F:\WINDOWS\svcproc.exe (file missing)
  • 0

#6
Excal
Posted 21 August 2005 - 08:45 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.

1. Please download LSPFix from here.
2. Run the LSPFix.exe that you have just finished downloading.
3. Check the I know what I'm doing box.
4. In the Keep box you should see one or more instances of winsflt.dll
5. Select every instance of winsflt.dll and move each one to the Remove box by clicking the >> button.
6. When you are done click Finish>>.
7. Reboot and please post a fresh HiJackThis log..
  • 0

#7
biggddd
Posted 21 August 2005 - 10:25 PM

biggddd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
ok excal


here are the lspfix results. lspfix_results.GIF
there was only 1 instance of the file winsflt.dll & it was already in the reomve column.

Also here is the latest hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 9:13:57 PM, on 8/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
F:\WINDOWS\System32\CTSvcCDA.exe
F:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
F:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
F:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
F:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
F:\WINDOWS\Explorer.exe
F:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
F:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
F:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
F:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
F:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
F:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
F:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguiexe.exe
F:\Program Files\InterAct\Gaming Devices\JoyAct.exe
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\System32\wuauclt.exe
F:\Documents and Settings\jonathan\Desktop\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\DOCUME~1\jonathan\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = g
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rockstarg....com/sanandreas
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = w
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = v
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = b
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = g
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: Shell=Explorer.exe F:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3EB3423F-A020-40A8-9259-12B9CAD3ABD0} - F:\WINDOWS\System32\ggmh.dll (file missing)
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - F:\WINDOWS\AuroraHandler.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - F:\WINDOWS\System32\richedtr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [FSA] F:\WINDOWS\FSA.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Disc Detector] F:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [LWBMOUSE] F:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [F-Secure Manager] "F:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "F:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "F:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "F:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [richup] F:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [Dinst] F:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ddbypg] F:\WINDOWS\System32\hswpoj.exe r
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - Startup: InterAct Profile Activator.lnk = F:\Program Files\InterAct\Gaming Devices\JoyAct.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Show website &list - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - Unknown owner - F:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - F:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - F:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - F:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - F:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - F:\WINDOWS\svcproc.exe (file missing)

another thing - our f-secure firewall keeps telling us that aurora is trying to access the internet - we keep saying deny - just thought i'd let you know.
  • 0

#8
Excal
Posted 21 August 2005 - 10:38 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts

DOWNLOAD PROGRAMS

Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates Do NOT run a scan yet. (if you already have, please just update)

Please download Nailfix from Here
please do NOT run it yet.

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Save programs to your desktop for easy access, Please do not run any of the programs unless told to do so.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder

THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Once in Safe Mode, please double-click on
Nailfix.exe on your desktop. Click next, then finished. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

5. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

6. Now open and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

7. Close all browsers, windows and unneeded programs.

8. Open HiJack and do a scan.

9. Put a Check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\DOCUME~1\jonathan\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = g
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = w
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = v
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = b
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = g
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: Shell=Explorer.exe F:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {3EB3423F-A020-40A8-9259-12B9CAD3ABD0} - F:\WINDOWS\System32\ggmh.dll (file missing)
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - F:\WINDOWS\AuroraHandler.dll
O4 - HKLM\..\Run: [FSA] F:\WINDOWS\FSA.exe
O4 - HKLM\..\Run: [richup] F:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [Dinst] F:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [ddbypg] F:\WINDOWS\System32\hswpoj.exe r
O23 - Service: System Startup Service (SvcProc) - Unknown owner - F:\WINDOWS\svcproc.exe (file missing)

10. click the Fix Checked box

11. Please remove just the files from the following paths using Windows Explorer (if present):

F:\WINDOWS\FSA.exe
F:\WINDOWS\System32\richup.exe
F:\WINDOWS\dinst.exe

12. Please run about:buster by RubbeRDuckY:
  • Click Begin Removal.
  • It will begin to check your computer for malicious files.
  • AboutBuster will finish and open a new page. Follow the instructions for protection on that page.
  • Shut down AboutBuster. A log should have been created.Please Save this log and copy it in your next post.
13. Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

14. Run the program CleanUp!

15. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

16. Please post an Active scan log , Ewido Scan log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#9
biggddd
Posted 22 August 2005 - 01:05 AM

biggddd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
ok

we're on it -
  • 0

#10
biggddd
Posted 22 August 2005 - 04:35 AM

biggddd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Ok Excal:

Here are all the results.

ACTIVESCAN: ********************************

COULD NOT BE RUN - THERE WAS AN ERROR DOWNLOADING THE ACTIVE X CONTROL


EWIDO SECURITY SCAN:***********************

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:39:27 AM, 8/22/2005
+ Report-Checksum: D28FEB9D

+ Scan result:

F:\Documents and Settings\darlene\Local Settings\Temp\SE.0LL -> Spyware.Hijacker.Generic : Cleaned with backup
F:\Documents and Settings\Guest\Cookies\guest@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
F:\Documents and Settings\jonathan\Cookies\jonathan@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
F:\Documents and Settings\jonathan\Cookies\[email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
F:\Documents and Settings\jonathan\Local Settings\Temp\asfjkk32.tmp -> Spyware.SafeSurfing : Cleaned with backup
F:\Documents and Settings\jonathan\Local Settings\Temp\Cookies\jonathan@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
F:\Documents and Settings\jonathan\Local Settings\Temp\dinst.exe -> TrojanDownloader.Intexp.d : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\margie@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\margie@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\[email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\margie@adtrak[2].txt -> Spyware.Cookie.Adtrak : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\margie@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\margie@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\margie@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\margie@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\margie@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\margie@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\[email protected][1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\margie@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\margie@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\margie@linksynergy[2].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\margie@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\margie@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\margie@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\margie@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\[email protected][2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\margie@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\[email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\margie@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\[email protected][2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\margie@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\margie@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
F:\Documents and Settings\Margie\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
F:\Documents and Settings\Margie\Local Settings\Temp\dinst.exe -> TrojanDownloader.Intexp.d : Cleaned with backup
F:\Documents and Settings\Margie\Local Settings\Temp\se.0ll -> Spyware.Hijacker.Generic : Cleaned with backup
F:\WINDOWS\AuroraHandler.dll -> Adware.BetterInternet : Cleaned with backup
F:\WINDOWS\DINST.0XE -> TrojanDownloader.Intexp.d : Cleaned with backup
F:\WINDOWS\hefrxjpbfup.exe -> Adware.BetterInternet : Cleaned with backup
F:\WINDOWS\pivcgs.exe -> Adware.BetterInternet : Cleaned with backup
F:\WINDOWS\system32\hrkvbey.0xe -> Trojan.Agent.gp : Cleaned with backup
F:\WINDOWS\system32\HSWPOJ.0XE -> Trojan.Agent.ay : Cleaned with backup
F:\WINDOWS\system32\OGYMHNV.0XE -> Adware.BetterInternet : Cleaned with backup
F:\WINDOWS\system32\Poller.0xe -> Adware.BetterInternet : Cleaned with backup
F:\WINDOWS\system32\Poller.1xe -> Adware.BetterInternet : Cleaned with backup
F:\WINDOWS\system32\POLLER.2XE -> Trojan.Agent.cp : Cleaned with backup
F:\WINDOWS\system32\POLLER.3XE -> Trojan.Agent.ay : Cleaned with backup
F:\WINDOWS\system32\Poller.exe -> Trojan.Agent.ay : Cleaned with backup
F:\WINDOWS\system32\redtrsha.dll -> Spyware.SafeSurfing : Cleaned with backup
F:\WINDOWS\system32\richup.exe -> Spyware.SafeSurfing : Cleaned with backup


::Report End

HIJACK THIS LOG: ********************************


Logfile of HijackThis v1.99.1
Scan saved at 3:29:13 AM, on 8/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
F:\WINDOWS\System32\CTSvcCDA.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
F:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
F:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
F:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
F:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
F:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
F:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
F:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
F:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
F:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguiexe.exe
F:\Program Files\InterAct\Gaming Devices\JoyAct.exe
F:\WINDOWS\System32\wuauclt.exe
F:\Documents and Settings\jonathan\Desktop\HIJACK THIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rockstarg....com/sanandreas
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - F:\WINDOWS\System32\richedtr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Disc Detector] F:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [richup] F:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [News Service] "F:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LWBMOUSE] F:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [FSA] F:\WINDOWS\FSA.exe
O4 - HKLM\..\Run: [F-Secure TNB] "F:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "F:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [F-Secure Manager] "F:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [Dinst] F:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [ddbypg] F:\WINDOWS\System32\hswpoj.exe r
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AdaptecDirectCD] "F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: InterAct Profile Activator.lnk = F:\Program Files\InterAct\Gaming Devices\JoyAct.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Show website &list - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - Unknown owner - F:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - F:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - F:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - F:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - F:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE

*************************************888
**************************************
thE FOllowing stuff wasnt there to delete, but i see they are back now....

f:\windows\fsa.exe & f:\windows\system32\richup.exe & f:\windowsdinst.exe

also these hijack this items - were not present to check & fix

O4 - HKLM\..\Run: [FSA] F:\WINDOWS\FSA.exe
O4 - HKLM\..\Run: [richup] F:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [Dinst] F:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [ddbypg] F:\WINDOWS\System32\hswpoj.exe r
O23 - Service: System Startup Service (SvcProc) - Unknown owner - F:\WINDOWS\svcproc.exe (file missing)


system is running a lot faster though... I can see a big difference - but we still gots aurora hanging on.

~Darlene
  • 0

Advertisements

#11
Excal
Posted 22 August 2005 - 09:34 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Please give ma a fresh HiJackthis log. Then don't reboot or shut off the computer until I give you instructions please :)


Thanks,

:tazz:

Excal
  • 0

#12
biggddd
Posted 22 August 2005 - 12:28 PM

biggddd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
THAT LAST HIJACK THIS was a fresh one, it was the last thing i ran. you want another one?

~Darlene
  • 0

#13
Excal
Posted 22 August 2005 - 12:45 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Yes, I need to get the file that changes all the time :)

:tazz:

Excal
  • 0

#14
biggddd
Posted 22 August 2005 - 05:53 PM

biggddd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:49:34 PM, on 8/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
F:\WINDOWS\System32\CTSvcCDA.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
F:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
F:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
F:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
F:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
F:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
F:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
F:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
F:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
F:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguiexe.exe
F:\Program Files\InterAct\Gaming Devices\JoyAct.exe
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\system32\mobsync.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Documents and Settings\jonathan\Desktop\HIJACK THIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rockstarg....com/sanandreas
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - F:\WINDOWS\System32\richedtr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Disc Detector] F:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [richup] F:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [News Service] "F:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LWBMOUSE] F:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [FSA] F:\WINDOWS\FSA.exe
O4 - HKLM\..\Run: [F-Secure TNB] "F:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "F:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [F-Secure Manager] "F:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [Dinst] F:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [ddbypg] F:\WINDOWS\System32\hswpoj.exe r
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AdaptecDirectCD] "F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: InterAct Profile Activator.lnk = F:\Program Files\InterAct\Gaming Devices\JoyAct.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://f:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://f:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://f:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://f:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://f:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Show website &list - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - F:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - Unknown owner - F:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - F:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - F:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - F:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - F:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - F:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
  • 0

#15
Excal
Posted 22 August 2005 - 06:42 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Download Process Explorer from http://www.sysintern...ssExplorer.html

Run Process Explorer and find the Process in the list of Processes.
Select this process and click Process > Suspend.

hswpoj.exe

Then in HijackThis click Config > Misc Tools > Delete a file on reboot...
In the explorer Window select the file F:\WINDOWS\System32\hswpoj.exe
When prompted if you want to reboot click YES
Leave Process explorer running with the process suspended.

After the reboot check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [ddbypg] F:\WINDOWS\System32\hswpoj.exe r

Reboot

Please post a fresh HiJackthis log

Edited by Excal, 22 August 2005 - 06:42 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP