[Fignuts]

Hi, I'm new here and was referenced by a friend. I have the dr. watson postmortem debugger on my computer, and I cannot get it off.

I read through the list of things to do first before posting hijackthis, and I was able to run download the cleanup program, Spybot Search & Destroy, Ad-Aware SE Microsoft Anti-Spyware, and ewido in an attempt to get rid of this. I am going to post my HijackThis! log in hopes of a program or something to get rid of this. I currently cannot run winamp, and have problems with games crashing that were not there because of this spyware. Please help, thanks.

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\ANDY\spyware removers\microsoftantispyware\gcasServ.exe
C:\ANDY\spyware removers\microsoftantispyware\gcasDtServ.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\ANDY\iPod\bin\iPodService.exe
C:\ANDY\sb\SlimBrowser\sbrowser.exe
C:\ANDY\spyware removers\ewido\security suite\ewidoguard.exe
C:\ANDY\spyware removers\ewido\security suite\ewidoctrl.exe
C:\ANDY\Winamp\winamp.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\ANDY\spyware removers\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.operation...forum/index.php
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\ANDY\getright\GetRight\xx2gr.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - D:\Programs\flashfxp\IEFlash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\ANDY\flashget\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\ANDY\spyware removers\microsoftantispyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: Download All by FlashGet - C:\ANDY\flashget\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\ANDY\flashget\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - C:\ANDY\getright\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\ANDY\getright\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\ANDY\J2SE\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\ANDY\J2SE\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104178141805
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123459691828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4p.../LaunchGame.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\ANDY\spyware removers\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\ANDY\spyware removers\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\ANDY\iPod\bin\iPodService.exe

[Advertisements]

Hi fignuts. Sorry you were missed on the first go-round. Please rerun hijack this and post the new log in this thread.

[coachwife6]

Hi fignuts. Sorry you were missed on the first go-round. Please rerun hijack this and post the new log in this thread.

[Fignuts]

Logfile of HijackThis v1.99.1
Scan saved at 7:44:17 PM, on 08/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\ANDY\spyware removers\microsoftantispyware\gcasServ.exe
D:\Programs\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\ANDY\spyware removers\microsoftantispyware\gcasDtServ.exe
C:\ANDY\spyware removers\ewido\security suite\ewidoctrl.exe
C:\ANDY\spyware removers\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\wscntfy.exe
D:\Programs\spyware removers\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.operation...forum/index.php
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\ANDY\getright\GetRight\xx2gr.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - D:\Programs\flashfxp\IEFlash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\ANDY\flashget\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [gcasServ] "C:\ANDY\spyware removers\microsoftantispyware\gcasServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Programs\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: Download All by FlashGet - C:\ANDY\flashget\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\ANDY\flashget\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight - C:\ANDY\getright\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\ANDY\getright\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\ANDY\J2SE\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\ANDY\J2SE\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104178141805
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123459691828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4p.../LaunchGame.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\ANDY\spyware removers\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\ANDY\spyware removers\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\ANDY\iPod\bin\iPodService.exe

[coachwife6]

There are quite a few programs available that offer protection features to help keep a computer from getting infected. While this is normally a helpful feature, it can keep a victim from making the changes necessary to clean their comptuer. Please read the following and uninstall or disable those that apply to your machine.

These programs need to be uninstalled

AdWatch

These programs can just be disabled

Microsoft Antispyware
TeaTimer
SpySweeper
Win Patrol
Spyware Guard
PSGuard
Pestpatrol
Regrun
Diamonds Process controller

I know you've run adaware, but try it with these instructions:

Please scan your system with Ad-aware:
Ad-aware SE - Download - Home Page

• If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
• After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
• Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
• Once the definitions have been updated:
• Reconfigure Ad-Aware for Full Scan as per the following instructions:
  • Launch the program, and click on the Gear at the top of the start screen.
  • Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
    • "Automatically save logfile"
    • Automatically quarantine objects prior to removal"
    • Safe Mode (always request confirmation)
    • Prompt to update outdated confirmation) - Change to 7 days.
  • Click the "Scanning" button (On the left side).
  • Under Drives & Folders, select "Scan within Archives"
  • Click "Click here to select Drives + folders" and select your installed hard drives.
  • Under Memory & Registry, select all options.
  • Click the "Advanced" button (On the left hand side).
  • Under "Shell Integration", select "Move deleted files to Recycle Bin".
  • Under "Log-file detail", select all options.
  • Click on the "Defaults" button on the left.
  • Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
  • Click the "Tweak" button (Again, on the left hand side).
  • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
    • "Unload recognized processes during scanning."
    • "Obtain command line of scanned processes"
    • "Scan registry for all users instead of current user only"
  • Under "Cleaning Engine", select the following:
    • "Automatically try to unregister objects prior to deletion."
    • "During removal, unload explorer and IE if necessary"
    • "Let Windows remove files in use at next reboot."
    • "Delete quarrantined objects after restoring"
  • Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
  • Click on "Proceed" to save these Preferences.
  • Click on the "Scan Now" button on the left.
  • Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
• Close all programs except ad-aware.
• Click on "Next" in the bottom right corner to start the scan.
• Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
• After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Download the free VX2 Cleaner here[list]
[*]Close Ad-Aware SE build 1.05 and Ad-Watch (if running)
[*]Install the VX2 Cleaner
[*]Start Ad-Aware SE build 1.05
[*]Go to “Plug-ins”
[*]Select the VX2 Cleaner plug-in and click “Run Plugin”
[*]If your computer isn't infected, click "close"
[*]If your computer is infected:[list]
[*]Select “Clean System”
[*]Reboot your computer
[*]Scan your computer with Ad-Aware
[*]Remove any VX2 objects detected
[*]Reboot your computer again
[*]Run a second scan to make sure the files have been removed from your computer



Just some minor cleaning up to do. Close all windows and run hijack this. Put check marks next to these entries.

R3 - Default URLSearchHook is missing
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\ANDY\J2SE\bin\npjpi150_04.dll

Run CleanUp!

Please run a free online virus scan here: (Use Internet Explorer)

http://enterprises.p...l_companies.htm

Post the results here.

If you would please, rescan with HijackThis and post a fresh log in this same topic.

Edited by coachwife6, 30 August 2005 - 07:13 PM.