Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware attack, have I fixed it? [RESOLVED]

Started by Olorin , Sep 06 2005 09:37 AM

  • This topic is locked This topic is locked

#1
Olorin
Posted 06 September 2005 - 09:37 AM

Olorin

    New Member

  • Member
  • Pip
  • 7 posts
Hi, this is my first time using this forum so I hope I am doing every properly. I had a Spy Sheriff attack earlier this morining and I followed the instructions found in this thread:

Thread

I was able to do everything except run Nialfix because the link was not working http://users.pandora...chy/nailfix.exe


Anyway my sytem seems to be working ok, but I wanted to post my log so someone with much more knowledge about this than I have could check them over.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:51:27 AM, 9/6/2005
+ Report-Checksum: 6D386C9C

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B75F75B8-93F3-429D-FF34-660B206D897A} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FFF5092F-7172-4018-827B-FA5868FB0478} -> Spyware.ZToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501} -> Spyware.SimpleBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77} -> Spyware.SimpleBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.activator -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.activator\CLSID -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.activator\CurVer -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.ParamWr -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.ParamWr\CLSID -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.ParamWr\CurVer -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.StockBar -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.StockBar\CLSID -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.StockBar\CurVer -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B75F75B8-93F3-429D-FF34-660B206D897A} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFF5092F-7172-4018-827B-FA5868FB0478} -> Spyware.ZToolbar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Best Search Engine!!! -> Spyware.CoolWebSearch : Cleaned with backup
[264] C:\WINDOWS\system32\tcpG4T.dll -> TrojanSpy.Goldun.bp : Cleaned with backup
[1376] C:\WINDOWS\system32\init32m.exe -> TrojanDownloader.Agent.ho : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.176:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.177:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.189:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.193:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.208:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.209:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.210:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.211:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.212:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.250:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Masterstats : Cleaned with backup
:mozilla.364:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.440:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.441:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.442:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.443:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.460:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.532:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.549:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.550:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.551:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.552:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.554:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.555:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.556:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.557:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.558:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.559:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.560:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.562:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.563:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.564:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.572:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.573:C:\Documents and Settings\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Eric Gregory\Start Menu\Programs\SpySheriff -> Spyware.SpySheriff : Cleaned with backup
C:\Documents and Settings\Eric Gregory\Start Menu\Programs\SpySheriff\SpySheriff.lnk -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\SpySheriff -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\base.avd -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\base001.avd -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\found.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\heur000.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\heur001.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\heur002.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\IESecurity.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\notfound.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\ProcMon.dll -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\removed.wav -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\SpySheriff.dvm -> Spyware.SpySheriff : Cleaned with backup
C:\Program Files\SpySheriff\Uninstall.exe -> Spyware.SpySheriff : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gsda.dll -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\sys752.exe -> TrojanProxy.Lager.x : Cleaned with backup
C:\WINDOWS\sys753.exe -> TrojanDropper.Microjoin : Cleaned with backup
C:\WINDOWS\sys826.exe -> TrojanDropper.Microjoin : Cleaned with backup
C:\WINDOWS\sys833.exe -> TrojanProxy.Lager.x : Cleaned with backup
C:\WINDOWS\sys834.exe -> TrojanDropper.Microjoin : Cleaned with backup
C:\WINDOWS\sys835.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINDOWS\sys836.exe -> TrojanProxy.Lager.x : Cleaned with backup
C:\WINDOWS\sys837.exe -> TrojanDropper.Microjoin : Cleaned with backup
C:\WINDOWS\sys84.exe -> TrojanProxy.Lager.x : Cleaned with backup
C:\WINDOWS\sys85.exe -> TrojanDropper.Microjoin : Cleaned with backup
C:\WINDOWS\system32\clihanlm.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINDOWS\system32\dgnpkkcn.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINDOWS\system32\doser.exe -> Trojan.Small.fh : Cleaned with backup
C:\WINDOWS\system32\ekpmjkih.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINDOWS\system32\fmqfaboa.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINDOWS\system32\init32m.exe -> TrojanDownloader.Agent.ho : Cleaned with backup
C:\WINDOWS\system32\jnjcjfge.exe -> TrojanDropper.Small.acz : Cleaned with backup
C:\WINDOWS\system32\latest.exe -> Trojan.Crypt.l : Cleaned with backup
C:\WINDOWS\system32\socks.exe -> Worm.Bagz.i : Cleaned with backup
C:\WINDOWS\system32\sysvcs.exe -> Trojan.Crypt.l : Cleaned with backup
C:\WINDOWS\system32\tcpG4T.dll -> TrojanSpy.Goldun.bp : Cleaned with backup
C:\WINDOWS\system32\vxgame1.exe -> TrojanDropper.Small.acg : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq1.exe -> TrojanDownloader.Small.bho : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq2.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq8.exe -> TrojanDownloader.Small.bho : Cleaned with backup
C:\winld32.dll -> TrojanDownloader.Small.anu : Cleaned with backup
C:\winstall.exe -> Spyware.Hijacker.Generic : Cleaned with backup
:mozilla.26:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.27:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.28:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.29:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.65:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.66:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.175:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.176:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.177:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.189:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.190:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.191:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.192:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.193:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.208:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.209:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.210:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.211:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.212:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.250:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Masterstats : Cleaned with backup
:mozilla.364:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.440:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.441:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.442:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.443:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.460:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.532:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.549:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.550:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.551:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.552:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.554:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.555:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.556:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.557:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.558:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.559:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.560:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.562:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.563:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.564:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.572:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.573:D:\Documents and Settings Backup\Eric Gregory\Application Data\Mozilla\Firefox\Profiles\x92dl36h.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
D:\Documents and Settings Backup\Eric Gregory\Cookies\eric [email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
D:\Documents and Settings Backup\Eric Gregory\Cookies\eric [email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
D:\Documents and Settings Backup\Eric Gregory\Cookies\eric [email protected][1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
D:\Documents and Settings Backup\Eric Gregory\Cookies\eric [email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
D:\Documents and Settings Backup\Eric Gregory\Cookies\eric [email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
D:\Documents and Settings Backup\Eric Gregory\Cookies\eric gregory@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
D:\Documents and Settings Backup\Eric Gregory\Cookies\eric [email protected][1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
D:\Documents and Settings Backup\Eric Gregory\Cookies\eric gregory@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
D:\Documents and Settings Backup\Eric Gregory\Cookies\eric [email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
D:\Documents and Settings Backup\Eric Gregory\Cookies\eric [email protected][1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
D:\Documents and Settings Backup\Eric Gregory\Cookies\eric [email protected][2].txt -> Spyware.Cookie.Com : Cleaned with backup
D:\Documents and Settings Backup\Eric Gregory\Cookies\eric [email protected][1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
D:\Documents and Settings Backup\Eric Gregory\Cookies\eric gregory@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
D:\Documents and Settings Backup\Eric Gregory\Cookies\eric gregory@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
D:\Downloads\alt.binaries.pictures.centerfolds.playboy\( aGRf - Some CCDE here ....rest in ABFPVP ) - ccde_PM199702_Yvonne_Hoffmann_29.jpg\Casino Treasure.exe -> Spyware.Casino : Cleaned with backup
D:\Downloads\Sorting\DivXToDVD + CopyToDVD + Crack.rar/CopyToDVD 3.0.41 Crack.zip/start.exe -> TrojanDropper.Bridge : Cleaned with backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 8:02:08 AM, on 9/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\WINDOWS\System32\RioMSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\MSTMON_S.EXE
C:\WINDOWS\System32\kernels32.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\vxh8jkdq5.exe
C:\Program Files\ARM Software\MacroMaker\MacroMaker.exe
C:\Documents and Settings\Eric Gregory\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:\WINDOWS\blank.mht
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Internet Apps\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2400W STD] C:\WINDOWS\System32\MSTMON_S.EXE STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] "C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\System32\sysvcs.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Startup: MacroMaker.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Internet Apps\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Internet Apps\GetRight\GRbrowse.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://www.goteamspeak.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120274636453
O20 - Winlogon Notify: tcpG4T - tcpG4T.dll (file missing)
O21 - SSODL: System - {22557BA4-6E3C-4402-BD78-27296F0AC589} - ssmc.dll (file missing)
O21 - SSODL: SysTray.Excn - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\System32\hdffpinn.dll (file missing)
O21 - SSODL: Adobe PageMaker 7.0 - {C3A27168-041E-EA00-DE21-3C2F66D9D61F} - c:\program files\adobe\pagemaker 7.0\winalwh32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements

#2
Rawe
Posted 06 September 2005 - 09:43 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello and welcome!!

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download smitRem.exe and save the file to your desktop.
Double-click on the file to extract it to it's own folder on the desktop.

Next, please reboot your computer in Safe Mode by doing the following;

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log here in your next reply.

Reboot back into normal mode and post the Smitrem.txt file along with a fresh HiJackThis log. :tazz:
  • 0

#3
Olorin
Posted 06 September 2005 - 10:47 AM

Olorin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks for the quick responce, here are the logs you asked for:


smitRem log file
version 2.3

by noahdfear

The current date is: Tue 09/06/2005
The current time is: 9:21:32.34

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~

cars


~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :tazz:



Logfile of HijackThis v1.99.1
Scan saved at 9:45:34 AM, on 9/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\MSTMON_S.EXE
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ARM Software\MacroMaker\MacroMaker.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Eric Gregory\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.yahoo....ns?fr=fp-top&p=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Internet Apps\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2400W STD] C:\WINDOWS\System32\MSTMON_S.EXE STARTUP
O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] "C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: MacroMaker.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Internet Apps\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Internet Apps\GetRight\GRbrowse.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://www.goteamspeak.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O20 - Winlogon Notify: tcpG4T - tcpG4T.dll (file missing)
O21 - SSODL: System - {22557BA4-6E3C-4402-BD78-27296F0AC589} - ssmc.dll (file missing)
O21 - SSODL: SysTray.Excn - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\System32\hdffpinn.dll (file missing)
O21 - SSODL: Adobe PageMaker 7.0 - {C3A27168-041E-EA00-DE21-3C2F66D9D61F} - c:\program files\adobe\pagemaker 7.0\winalwh32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#4
Rawe
Posted 06 September 2005 - 10:51 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
First:
  • Clean out temporary files:
  • Click Start -> Run and type in: cleanmgr
  • Click "Ok".
  • Let it scan your system.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only ones checked.
  • Click "OK" to remove them.
  • Click "Yes" to confirm the deletion.
Ok, then run a scan with HiJackThis and check the following objects for removal:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.yahoo....ns?fr=fp-top&p=
O20 - Winlogon Notify: tcpG4T - tcpG4T.dll (file missing)
O21 - SSODL: System - {22557BA4-6E3C-4402-BD78-27296F0AC589} - ssmc.dll (file missing)
O21 - SSODL: SysTray.Excn - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\System32\hdffpinn.dll (file missing)

Close ALL open windows except for HiJackThis and hit FIX CHECKED.

Next do this:

Please download and run blacklite
F-Secure Blacklight: http://www.f-secure....light/try.shtml
leave [X]scan through windows explorer checked,
click > scan > If any items are found click > next and close the program.

How to use F-Secure Blacklight
http://www.europe.f-...lacklight/help/

Finally:

Download cureit;
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Run drweb - cureit
Double-click the "drweb-cureit.exe" and click "ok" in the prompt window that will open, asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it finds, and when it says "done" in the lower left corner click on all your drive's.
A red dot will mark the selected drive(s) . Then hit the pedestrian who now has turned green.
Click on the green man in the right corner, it will scan ALL your drive's, hit yes to all.

Reboot.

Post a fresh HiJackThis log once finished. :tazz:
  • 0

#5
Olorin
Posted 06 September 2005 - 11:23 AM

Olorin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

Please download and run blacklite
F-Secure Blacklight: http://www.f-secure....light/try.shtml
leave [X]scan through windows explorer checked,
click > scan > If any items are found click > next and close the program.

I cannot get this link to work, and I do not see a product called blacklight on the secure.com page, is there an alternative link.
  • 0

#6
Rawe
Posted 06 September 2005 - 11:24 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Click on the link and hit "Accept"..

If it won't work, here's another.. Should work? http://www.f-secure.com/blacklight/
  • 0

#7
Olorin
Posted 06 September 2005 - 11:33 AM

Olorin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I am afraid not, neither link work on either of my computers.
  • 0

#8
Rawe
Posted 06 September 2005 - 11:35 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Go to: http://www.f-secure.com/

Look at the list under What's New, and click on the last link stating: F-Secure BlackLight Rootkit Elimination Technology

And see if this works for you?
  • 0

#9
Olorin
Posted 06 September 2005 - 05:22 PM

Olorin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I was able to get blacklight asnd run all the apps you suggested, here is my logfile:


Logfile of HijackThis v1.99.1
Scan saved at 4:15:44 PM, on 9/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\MSTMON_S.EXE
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ARM Software\MacroMaker\MacroMaker.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Eric Gregory\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Internet Apps\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2400W STD] C:\WINDOWS\System32\MSTMON_S.EXE STARTUP
O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] "C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: MacroMaker.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Internet Apps\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Internet Apps\GetRight\GRbrowse.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: http://www.goteamspeak.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O21 - SSODL: Adobe PageMaker 7.0 - {C3A27168-041E-EA00-DE21-3C2F66D9D61F} - c:\program files\adobe\pagemaker 7.0\winalwh32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#10
Rawe
Posted 07 September 2005 - 07:54 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
How is the system running? :tazz:
  • 0

#11
Olorin
Posted 07 September 2005 - 12:01 PM

Olorin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Seems to be fine, I certainly have not noticed any problems. So unless you see something wrong in the log file I think it is fixed. :tazz:

If that is the case I was to thank you for all the help, I weas sure yesterday morning when all that crap popped up that I was going to have to reinstall my OS to get rid of it.

Thanks again,

Eric
  • 0

#12
Olorin
Posted 07 September 2005 - 12:06 PM

Olorin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
One final thing, could you tell me how to clear and then reset my system restore point.
  • 0

#13
Rawe
Posted 07 September 2005 - 12:35 PM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Great job, it's great to be of help! :)

Let's clear out your restore points now.

Disable System Restore;

1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".

Reboot.

Enable System Restore;

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".

System Restore will now be active again. :) Be sure to set a new restore point.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
  • Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)

Install Service Pack 2!

Visit;
http://www.windowsupdate.com and install ALL the critical updates available!

If you want to learn how to help people with malware problems like I helped you, feel free to take a look at this thread; http://www.geekstogo...here-t4817.html :tazz:
  • 0

#14
Rawe
Posted 19 September 2005 - 12:29 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP