Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware, Winfixer [RESOLVED]


  • This topic is locked This topic is locked

#1
tager

tager

    Member

  • Member
  • PipPip
  • 16 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:21:52 AM, on 8/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\j?vaw.exe
C:\Program Files\acra\ueri.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\dG9tIGdlcmFnaHR5\command.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\tom geraghty.TOM-M7DFI6HQSGC\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: SDWin32 Class - {24B4CF57-45C2-4CDE-A381-1D8FE8EA7832} - C:\WINDOWS\System32\qotci.dll (file missing)
O2 - BHO: SDWin32 Class - {2F944272-32E9-4288-9AA7-58FCFD4FAB45} - C:\WINDOWS\System32\ffvum.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [t73j3Fe] nwebu.exe
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\lpsxsd.exe reg_run
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [cwstRPK9l] inftuq.exe
O4 - HKCU\..\Run: [Qzoz] C:\WINDOWS\System32\j?vaw.exe
O4 - HKCU\..\Run: [Uihe] C:\Program Files\acra\ueri.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust...er/pestscan.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dG9tIGdlcmFnaHR5\command.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\keqjsvc.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:42:30 AM, 8/27/2005
+ Report-Checksum: 624DE9CD

+ Scan result:

[1472] C:\WINDOWS\System32\sssfsgd.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
[1896] C:\WINDOWS\System32\sssfsgd.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[1912] C:\WINDOWS\System32\sssfsgd.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[1920] C:\WINDOWS\System32\sssfsgd.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[1928] C:\WINDOWS\System32\sssfsgd.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[1956] C:\WINDOWS\System32\sssfsgd.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[2004] C:\WINDOWS\System32\sssfsgd.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[2020] C:\WINDOWS\System32\sssfsgd.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[136] C:\WINDOWS\System32\sssfsgd.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[556] C:\WINDOWS\System32\sssfsgd.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
[4024] C:\WINDOWS\System32\sssfsgd.dll -> TrojanDownloader.Qoologic.ac : Error during cleaning
C:\WINDOWS\system32\pukgk.dat -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\adupdater.exe.tcf -> Spyware.Adstart : Cleaned with backup
C:\WINDOWS\system32\qotcid.exe.tcf -> Spyware.Adstart : Cleaned with backup
C:\WINDOWS\system32\jaara.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\ffvumd.exe -> Spyware.Adstart : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP88\A0039222.exe -> Spyware.CASClient : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP91\A0039287.exe -> Spyware.Adstart : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP91\A0039288.exe -> Spyware.Adstart : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP95\A0045559.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP95\A0045560.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP95\A0045561.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP95\A0045562.exe -> Spyware.Adstart : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP95\A0045576.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP95\A0045577.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP95\A0045578.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP95\A0045579.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP95\A0045679.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP95\A0045680.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP95\A0045681.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP95\A0045682.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP95\A0046677.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP95\A0046678.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP95\A0046679.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP95\A0046680.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP96\A0046715.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP96\A0046716.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP96\A0046717.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP96\A0046718.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP97\A0047724.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP97\A0047725.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP97\A0047726.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP97\A0047727.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP98\A0047760.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP98\A0047761.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP98\A0047762.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP98\A0047763.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP98\A0047780.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP98\A0047781.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP98\A0047782.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP98\A0048792.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP98\A0048793.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP98\A0048794.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP98\A0048795.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP99\A0048955.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP99\A0048956.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP99\A0048957.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP99\A0048958.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP100\A0049063.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP100\A0049064.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP100\A0049065.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP100\A0049066.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049169.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049170.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049171.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049172.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049194.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049195.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049196.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049204.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049206.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049207.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049208.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049223.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049224.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049225.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049226.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049238.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049239.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049240.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049241.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049253.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049254.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049255.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049256.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049267.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049268.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049269.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP101\A0049270.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP102\A0049285.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP102\A0049286.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP102\A0049287.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP102\A0049288.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP102\A0049309.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP102\A0049310.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP102\A0049311.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP102\A0049312.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup


::Report End
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!! I'm going to let you scan with ewido again, but in safe mode this time.



* Download and install CCleaner
Do not use it yet.

Update your ewido!!
[*]From the main ewido screen, click on update in the left menu, then click the Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful"

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
O2 - BHO: SDWin32 Class - {24B4CF57-45C2-4CDE-A381-1D8FE8EA7832} - C:\WINDOWS\System32\qotci.dll (file missing)
O2 - BHO: SDWin32 Class - {2F944272-32E9-4288-9AA7-58FCFD4FAB45} - C:\WINDOWS\System32\ffvum.dll (file missing)
O4 - HKLM\..\Run: [t73j3Fe] nwebu.exe
O4 - HKLM\..\Run: [ttupt] C:\WINDOWS\ttupt.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\lpsxsd.exe reg_run
O4 - HKCU\..\Run: [cwstRPK9l] inftuq.exe
O4 - HKCU\..\Run: [Qzoz] C:\WINDOWS\System32\j?vaw.exe
O4 - HKCU\..\Run: [Uihe] C:\Program Files\acra\ueri.exe
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dG9tIGdlcmFnaHR5\command.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\keqjsvc.exe


* Click on Fix Checked when finished and exit HijackThis.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\dG9tIGdlcmFnaHR5 <== folder
C:\WINDOWS\ttupt.exe
C:\Program Files\acra <== folder
C:\WINDOWS\keqjsvc.exe

* Still in safe mode Start Ccleaner
click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right)

* Open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido


* Reboot your system back to normal mode and post a new hijackthislog together with the ewidolog.
  • 0

#3
tager

tager

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hey, sorry it's late but thanks for all of your help miekiemoes...here is my updated info. after following your instructions..


Logfile of HijackThis v1.99.1
Scan saved at 10:04:52 PM, on 8/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\tom geraghty.TOM-M7DFI6HQSGC\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\lpsxsd.exe reg_run
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust...er/pestscan.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dG9tIGdlcmFnaHR5\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:30:34 PM, 8/30/2005
+ Report-Checksum: 22506FF

+ Scan result:

[952] C:\WINDOWS\System32\jaara.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\pukgk.dat -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP102\A0049321.exe -> Spyware.Adstart : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP102\A0049324.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP102\A0049329.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP102\A0049330.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP103\A0049346.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP103\A0049347.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP103\A0049348.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP103\A0049349.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP103\A0050346.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP103\A0050347.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP103\A0050348.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP103\A0050349.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP103\A0050365.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP103\A0050366.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP103\A0050367.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP103\A0050368.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP104\A0050399.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP104\A0050400.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP104\A0050401.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP104\A0050402.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP104\A0050412.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP104\A0050413.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP104\A0050414.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP104\A0050415.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP104\A0051412.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP104\A0051413.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP104\A0051414.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP104\A0051416.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP105\A0052409.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP105\A0052410.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{EE49ACBF-D225-4402-A100-8D94A1CBF045}\RP105\A0052411.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup


::Report End
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Ok, let's deal with qoologic now...

Download Find Q.zip and save it to your desktop.
http://forums.net-in...=post&id=153912

Extract (unzip) the files inside into their own folder called Find Q.
Look here how to unzip/extract properly:
http://metallica.gee...xplanation.html
Open the Find Q-folder.
Locate and double-click the Find Q.bat to run it.
Wait until notepad opens and copy and paste the content in your next reply.

if you received any error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."
Please use next fix first:

If you are having XP home download and use next:
http://homepage.ntlw...XPHomeFiles.exe

If you are having XP Professional download and use next:
http://homepage.ntlw.../XPProfiles.exe

Edited by miekiemoes, 31 August 2005 - 03:33 AM.

  • 0

#5
tager

tager

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
thanks, here's my updated hijack

Logfile of HijackThis v1.99.1
Scan saved at 6:37:13 PM, on 8/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\tom geraghty.TOM-M7DFI6HQSGC\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\lpsxsd.exe reg_run
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\System32\wuauclt.dll
O9 - Extra button: Microsoft AntiSpyware helper - {4A25C626-3811-4E2E-B7BD-8CC647BD3568} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4A25C626-3811-4E2E-B7BD-8CC647BD3568} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust...er/pestscan.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dG9tIGdlcmFnaHR5\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello, I need that log from Find Q, not a new hijackthislog. :tazz:
By the way, can you delete that Find Q folder that you have downloaded before? Because this version has been updated.

So download this new version:
http://forums.net-in...=post&id=153912

Extract (unzip) the files inside into their own folder called Find Q.
Look here how to unzip/extract properly:
http://metallica.gee...xplanation.html
Open the Find Q-folder.
Locate and double-click the Find Q.bat to run it.
Wait until notepad opens and copy and paste the content in your next reply.
  • 0

#7
tager

tager

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...
»»»»» Example PNGFILT.DLL ctl3d32.dll are windows files...


»»»»» 2K XP 9X and ME Misc check's...


»»»»» 9X and ME check's...
  • 0

#8
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hmmm, I can't believe that Find Q isn't showing a thing.
Do you still get that cmd and autoexec.nt-error? If so, please use the fix I asked you previously ( http://www.visualtou...oads/xp_fix.exe ) and run find Q again.

Did you actually unzip Find Q to it's own folder as I explained before?
Also, is this the latest version I asked you to download? Because this is really important.

Can you post a new hijackthislog please?
  • 0

#9
tager

tager

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:17:24 AM, on 9/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\tom geraghty.TOM-M7DFI6HQSGC\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\lpsxsd.exe reg_run
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {4A25C626-3811-4E2E-B7BD-8CC647BD3568} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4A25C626-3811-4E2E-B7BD-8CC647BD3568} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust...er/pestscan.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dG9tIGdlcmFnaHR5\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
  • 0

#10
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

Let's see what comes back afterwards..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\lpsxsd.exe reg_run
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {4A25C626-3811-4E2E-B7BD-8CC647BD3568} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4A25C626-3811-4E2E-B7BD-8CC647BD3568} - (no file) (HKCU)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dG9tIGdlcmFnaHR5\command.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.

Then, go to start > run and copy and paste next command in the field:

sc delete cmdService

Click Ok.

Reboot once again and post a new hijackthislog.
  • 0

#11
tager

tager

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:54:18 PM, on 9/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Documents and Settings\tom geraghty.TOM-M7DFI6HQSGC\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust...er/pestscan.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX28.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
  • 0

#12
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
I see a clean log. :tazz:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Avoid illegal sites, because that's where most malware is present.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates, so visit asap: http://windowsupdate.microsoft.com/ to update to SP2

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft...xp/iesecxp.mspx

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again! :)
  • 0

#13
tager

tager

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Thank you so much, I will make a donation in your honor. You have saved me alot of headaches and a possible restore on my XP. Cheers!
  • 0

#14
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Glad I could help you. :tazz:
  • 0

#15
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP