Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Another winfixer victim :( [RESOLVED]


  • This topic is locked This topic is locked

#16
my_6th_sense

my_6th_sense

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
the new hijack this logfile

Logfile of HijackThis v1.99.1
Scan saved at 18:40:35, on 25/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\Program Files\Indentix\WinGet\WinGet.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Wouter\Bureaublad\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO:  - {371C6960-302C-45D0-9504-50B820247439} - C:\Program Files\Indentix\WinGet\WinIE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [second] C:\Documents and Settings\Wouter\Bureaublad\l2mfix\second.bat
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [WinGet.exe] C:\Program Files\Indentix\WinGet\WinGet.exe /silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Download with &WinGet - res://C:\Program Files\Indentix\WinGet\WinIE.dll/300
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28578.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107081003921
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game19.zylomg...gamesplayer.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

and the vundofix file...


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 428 'smss.exe'
Threads [432][436][440]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1296 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 520 'winlogon.exe'
Killing PID 520 'winlogon.exe'
Killing PID 520 'winlogon.exe'
Killing PID 520 'winlogon.exe'
Sucessfully Deleted
  • 0

Advertisements


#17
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Let's sweep up some leftovers..

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directoy as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
    Disable SpySweeper Shields
    • Click Shields on the left.
    • Click Internet Explorer and uncheck all items.
    • Click Windows System and uncheck all items.
    • Click Startup Programs and uncheck all items.
  • Once the definitions are installed and shields disabled, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
:tazz:
  • 0

#18
my_6th_sense

my_6th_sense

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
well, here it is...are you sure this is correct :tazz:
still that much spyware? adaware or microsoft antispyware never detected them...

********
18:53: |··· Start of Session, donderdag 25 augustus 2005 ···|
18:53: Spy Sweeper started
18:53: Sweep initiated using definitions version 521
18:53: Starting Memory Sweep
18:55: Memory Sweep Complete, Elapsed Time: 00:01:55
18:55: Starting Registry Sweep
18:55: Found Trojan Horse: alwaysupdatednews
18:55: HKU\S-1-5-21-3399214811-4080963341-1148649159-1006\software\aun\ (4 subtraces) (ID = 103544)
18:55: Found Adware: blazefind_adstat
18:55: HKLM\software\classes\winstatx.installer\ (3 subtraces) (ID = 104588)
18:55: HKCR\winstatx.installer\ (3 subtraces) (ID = 104594)
18:55: Found Adware: cws_ns3
18:55: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\webdlg32.dll (ID = 123378)
18:55: Found Adware: cws_xplugin
18:55: HKU\S-1-5-21-3399214811-4080963341-1148649159-1006\software\microsoft\internet explorer\main\ || sethp (ID = 124467)
18:55: Found Adware: edipol alloticket dialer
18:55: HKU\S-1-5-21-3399214811-4080963341-1148649159-1006\software\visio ras script\ (5 subtraces) (ID = 125646)
18:55: Found Adware: searchrelevancy
18:55: HKCR\interface\{300fa067-9b94-45cf-a30b-cb5221eeb0c3}\ (8 subtraces) (ID = 141290)
18:55: HKCR\searchrelevant\ (3 subtraces) (ID = 141291)
18:55: HKLM\software\classes\interface\{300fa067-9b94-45cf-a30b-cb5221eeb0c3}\ (8 subtraces) (ID = 141293)
18:55: HKLM\software\classes\typelib\{65a6bb6d-78d0-4e0a-824d-2de1e0d154af}\ (9 subtraces) (ID = 141295)
18:55: HKLM\software\classes\searchrelevant\ (3 subtraces) (ID = 141296)
18:55: HKLM\software\classes\updater.bho\ (5 subtraces) (ID = 141297)
18:55: HKCR\typelib\{65a6bb6d-78d0-4e0a-824d-2de1e0d154af}\ (9 subtraces) (ID = 141302)
18:55: HKCR\updater.bho\ (5 subtraces) (ID = 141303)
18:55: Found Adware: seekseek
18:55: HKLM\software\jxjte\ (4 subtraces) (ID = 141531)
18:55: Found Adware: ist slotchbar
18:55: HKLM\software\classes\typelib\{8c752c5e-3c10-4076-af0a-ffc69fa20d10}\ (9 subtraces) (ID = 141839)
18:55: HKCR\typelib\{8c752c5e-3c10-4076-af0a-ffc69fa20d10}\ (9 subtraces) (ID = 141844)
18:55: Found Adware: winad
18:55: HKLM\software\windows adstatus\ (8 subtraces) (ID = 147240)
18:55: Registry Sweep Complete, Elapsed Time:00:00:07
18:55: Starting Cookie Sweep
18:55: Found Spy Cookie: 64.62.232 cookie
18:55: wouter@64.62.232[1].txt (ID = 1987)
18:55: wouter@64.62.232[2].txt (ID = 1987)
18:55: wouter@64.62.232[3].txt (ID = 1987)
18:55: Found Spy Cookie: advertising cookie
18:55: wouter@advertising[2].txt (ID = 2175)
18:55: Found Spy Cookie: apmebf cookie
18:55: wouter@apmebf[1].txt (ID = 2229)
18:55: Found Spy Cookie: atlas dmt cookie
18:55: wouter@atdmt[2].txt (ID = 2253)
18:55: Found Spy Cookie: belnk cookie
18:55: wouter@belnk[1].txt (ID = 2292)
18:55: Found Spy Cookie: enhance cookie
18:55: wouter@c.enhance[1].txt (ID = 2614)
18:55: Found Spy Cookie: gostats cookie
18:55: wouter@c4.gostats[2].txt (ID = 2748)
18:55: Found Spy Cookie: com.com cookie
18:55: wouter@com[2].txt (ID = 2445)
18:55: wouter@dist.belnk[2].txt (ID = 2293)
18:55: Found Spy Cookie: fe.lea.lycos.com cookie
18:55: wouter@fe.lea.lycos[1].txt (ID = 2660)
18:55: wouter@gostats[2].txt (ID = 2747)
18:55: Found Spy Cookie: screensavers.com cookie
18:55: wouter@i.screensavers[2].txt (ID = 3298)
18:55: Found Spy Cookie: metriweb.be cookie
18:55: wouter@metriweb[1].txt (ID = 2992)
18:55: Found Spy Cookie: realmedia cookie
18:55: wouter@realmedia[1].txt (ID = 3235)
18:55: Found Spy Cookie: servedby advertising cookie
18:55: wouter@servedby.advertising[2].txt (ID = 3335)
18:55: Found Spy Cookie: dealtime cookie
18:55: wouter@stat.dealtime[1].txt (ID = 2506)
18:55: Found Spy Cookie: reliablestats cookie
18:55: wouter@stats1.reliablestats[2].txt (ID = 3254)
18:55: Found Spy Cookie: targetnet cookie
18:55: wouter@targetnet[2].txt (ID = 3489)
18:55: Found Spy Cookie: toplist cookie
18:55: wouter@toplist[1].txt (ID = 3557)
18:55: Found Spy Cookie: tripod cookie
18:55: wouter@tripod[2].txt (ID = 3591)
18:55: Found Spy Cookie: webads cookie
18:55: wouter@webads[2].txt (ID = 3650)
18:55: wouter@www.screensavers[1].txt (ID = 3298)
18:55: Found Spy Cookie: yadro cookie
18:55: wouter@yadro[1].txt (ID = 3743)
18:55: Cookie Sweep Complete, Elapsed Time: 00:00:03
18:55: Starting File Sweep
18:55: Found Trojan Horse: 2nd-thought
18:55: c:\windows\bundles (18 subtraces) (ID = -2147481535)
18:55: b2_t_%22doctor+bass+-+lick+it%22&577.xml:qtsnwm (ID = 56287)
18:56: b2_t_midi+children&584.xml:rulofz (ID = 56287)
18:56: Found Adware: coolwebsearch (cws)
18:56: eufld.dat:kqqhhf (ID = 54051)
18:56: b2_t_%22do+you+believe+in+a+god+that+brings+you+down%22&474.xml:ysaicb (ID = 54051)
18:56: patroon.bmp:jsduur (ID = 56287)
18:56: oobeact.log:rskgsg (ID = 54051)
18:56: Found Adware: virtualbouncer
18:56: 2504041019.exe (ID = 82767)
18:56: kb825119.log:bosark (ID = 56287)
18:56: Found Adware: dealhelper
18:56: dsearch1.bin (ID = 57614)
18:56: Found Adware: shopathomeselect
18:56: vp.dat (ID = 75843)
18:58: Found Adware: sicro dialer
18:58: switchagreement.txt (ID = 76024)
18:58: Found Adware: webrebates
18:58: traspec7.exe (ID = 83923)
18:59: Found Adware: my daily horoscope
18:59: setup_silent_26221.exe (ID = 70252)
18:59: tksrv99.exe (ID = 57160)
18:59: b2_t_jump%3a+the+new+hardstyle&46.xml:zutjdo (ID = 54051)
18:59: directx.log:vydiml (ID = 56287)
18:59: Found Adware: adlogix
18:59: vzofob.xml (ID = 49280)
18:59: Found Adware: ez-finder toolbar
18:59: webdlg32.inf (ID = 60327)
18:59: webdlg32.inf (ID = 60327)
18:59: credit counseling.url (ID = 130668)
18:59: insurance home.url (ID = 130676)
18:59: mortgage life insurance.url (ID = 130681)
18:59: help desk software.url (ID = 130675)
18:59: ab scissor.url (ID = 130666)
18:59: videos.url (ID = 130694)
18:59: what is hydrocodone.url (ID = 130695)
18:59: online gambling casino.url (ID = 130684)
18:59: refinancing my mortgage.url (ID = 130691)
18:59: debt credit card.url (ID = 130671)
18:59: fha.url (ID = 130673)
18:59: loan for debt consolidation.url (ID = 130677)
18:59: health insurance.url (ID = 130674)
18:59: personal loans online.url (ID = 130688)
18:59: payroll advance.url (ID = 130687)
18:59: marketing email.url (ID = 130679)
18:59: prescription drugs rx online.url (ID = 130690)
18:59: credit report.url (ID = 130669)
18:59: tahoe vacation rental.url (ID = 130692)
18:59: escorts.url (ID = 130672)
18:59: order phentermine.url (ID = 130686)
18:59: mortgage insurance.url (ID = 130680)
18:59: personal loans with bad credit.url (ID = 130689)
18:59: crm software.url (ID = 130670)
18:59: nevada corporations.url (ID = 130682)
18:59: unsecured bad credit loans.url (ID = 130693)
18:59: loan for people with bad credit.url (ID = 130678)
18:59: broadband comparison.url (ID = 130667)
18:59: online betting site.url (ID = 130683)
18:59: online instant loan.url (ID = 130685)
19:00: File Sweep Complete, Elapsed Time: 00:04:27
19:00: Full Sweep has completed. Elapsed time 00:06:36
19:00: Traces Found: 206
19:01: Removal process initiated
19:01: Quarantining All Traces: alwaysupdatednews
19:01: Quarantining All Traces: blazefind_adstat
19:01: Quarantining All Traces: cws_ns3
19:01: Quarantining All Traces: cws_xplugin
19:01: Quarantining All Traces: edipol alloticket dialer
19:01: Quarantining All Traces: searchrelevancy
19:01: Quarantining All Traces: seekseek
19:01: Quarantining All Traces: ist slotchbar
19:01: Quarantining All Traces: winad
19:01: Quarantining All Traces: 64.62.232 cookie
19:01: Quarantining All Traces: advertising cookie
19:01: Quarantining All Traces: apmebf cookie
19:01: Quarantining All Traces: atlas dmt cookie
19:01: Quarantining All Traces: belnk cookie
19:01: Quarantining All Traces: enhance cookie
19:01: Quarantining All Traces: gostats cookie
19:01: Quarantining All Traces: com.com cookie
19:01: Quarantining All Traces: fe.lea.lycos.com cookie
19:01: Quarantining All Traces: screensavers.com cookie
19:01: Quarantining All Traces: metriweb.be cookie
19:01: Quarantining All Traces: realmedia cookie
19:01: Quarantining All Traces: servedby advertising cookie
19:01: Quarantining All Traces: dealtime cookie
19:01: Quarantining All Traces: reliablestats cookie
19:01: Quarantining All Traces: targetnet cookie
19:01: Quarantining All Traces: toplist cookie
19:01: Quarantining All Traces: tripod cookie
19:01: Quarantining All Traces: webads cookie
19:01: Quarantining All Traces: yadro cookie
19:01: Quarantining All Traces: 2nd-thought
19:01: Quarantining All Traces: coolwebsearch (cws)
19:01: Quarantining All Traces: virtualbouncer
19:01: Quarantining All Traces: dealhelper
19:01: Quarantining All Traces: shopathomeselect
19:01: Quarantining All Traces: sicro dialer
19:01: Quarantining All Traces: webrebates
19:01: Quarantining All Traces: my daily horoscope
19:01: Quarantining All Traces: adlogix
19:01: Quarantining All Traces: ez-finder toolbar
19:01: Removal process completed. Elapsed time 00:00:30
********
18:51: |··· Start of Session, donderdag 25 augustus 2005 ···|
18:51: Spy Sweeper started
18:53: |··· End of Session, donderdag 25 augustus 2005 ···|
  • 0

#19
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Yup, I'm sure, that's why I asked you to run SpySweeper for leftovers :tazz:

Can you post a fresh HiJackThis log just to make sure everything's still looking good. Do you have any problems at the moment? :)
  • 0

#20
my_6th_sense

my_6th_sense

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
here's a new hijack file :tazz:
Everything seems to be fine now, but last week I removed the winfixer thing myself and everything also seemed to be ok...for a few days...
anyway let's hope it stays away now :)

Logfile of HijackThis v1.99.1
Scan saved at 19:07:20, on 25/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\Program Files\Indentix\WinGet\WinGet.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Documents and Settings\Wouter\Bureaublad\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO:  - {371C6960-302C-45D0-9504-50B820247439} - C:\Program Files\Indentix\WinGet\WinIE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [second] C:\Documents and Settings\Wouter\Bureaublad\l2mfix\second.bat
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [WinGet.exe] C:\Program Files\Indentix\WinGet\WinGet.exe /silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Download with &WinGet - res://C:\Program Files\Indentix\WinGet\WinIE.dll/300
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28578.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107081003921
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game19.zylomg...gamesplayer.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod-service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

thanks 4 your help!
  • 0

#21
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Yup, it's clean. Check and fix the following objects in HiJackThis:

O4 - HKLM\..\Run: [second] C:\Documents and Settings\Wouter\Bureaublad\l2mfix\second.bat
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab


And it's looking pretty.

Let's clear out your restore points now.

Disable System Restore;

1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".


Reboot.

Enable System Restore;

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".


System Restore will now be active again. :) Be sure to set a new restore point.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
  • Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)

Visit;
http://www.windowsupdate.com and install ALL the available critical updates !

- Rawe :tazz:

If you want to learn how to help people with malware problems like I helped you, feel free to take a look at this thread; http://www.geekstogo...here-t4817.html
  • 0

#22
my_6th_sense

my_6th_sense

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
thanks a lot for your help!!
  • 0

#23
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
No problem, it's great to help!! :tazz:
  • 0

#24
Guest_thatman_*

Guest_thatman_*
  • Guest
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP