Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

qwerty123search attacked [CLOSED]


  • This topic is locked This topic is locked

#1
nolando360

nolando360

    New Member

  • Member
  • Pip
  • 1 posts
Hi guys...

My friends said that when I ran into some big viruses I would be like a baby without a diaper and so yes...here I am...I have had the qwertysearch123 thing for quite a while...it had redirected my homepage and taken my favourites and I ahave a sneaking suspicion that it is shutting soen my computer on its own from time to time, as this has been another ocassional symptom...have gone through all of the usual steps on this site, including adaware, CW shredder, spybot, ewido, housecall, avg, and trojan hunter...seems I still have 6-8 trojan horses...may have been hit hard and left it too long... In short I am inded a baby without a diaper...but I am mad as [bleep] and I'm not gonna take it anymore!!

thanks for all your help guys!

Here are the results of my ewido scan:

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:05:57 AM, 11/09/2005
+ Report-Checksum: 43057121

+ Scan result:

C:\Documents and Settings\Dirty Stranger\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-1ac02c55-40b1486f.class -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Dirty Stranger\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-305f4c99-7940e991.class -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Dirty Stranger\Cookies\dirty stranger@112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dirty Stranger\Cookies\dirty stranger@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dirty Stranger\Cookies\dirty stranger@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Dirty Stranger\Cookies\dirty stranger@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Dirty Stranger\Cookies\dirty stranger@cz3.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Dirty Stranger\Cookies\dirty stranger@cz4.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Dirty Stranger\Cookies\dirty stranger@cz6.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Dirty Stranger\Cookies\dirty stranger@cz7.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Dirty Stranger\Cookies\dirty stranger@cz8.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Dirty Stranger\Cookies\dirty stranger@cz9.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Dirty Stranger\Cookies\dirty stranger@download.com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Dirty Stranger\Cookies\dirty stranger@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Dirty Stranger\Cookies\dirty stranger@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Dirty Stranger\Cookies\dirty stranger@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Dirty Stranger\Cookies\dirty stranger@sales.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Dirty Stranger\Cookies\dirty stranger@vip.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Dirty Stranger\Cookies\dirty stranger@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Dirty Stranger\Cookies\dirty stranger@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkowjc5wgpa2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Nolan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-531c338a-4e6528a8.class -> Trojan.Byteverify : Cleaned with backup
C:\Documents and Settings\Nolan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-5ef20017-5dcdb11d.zip/Gummy.class -> Trojan.Java.Femad : Cleaned with backup
C:\Documents and Settings\Nolan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.jar-31224f6f-77bd1ba5.zip/Dummy.class -> Trojan.ClassLoader.Dummy.d : Cleaned with backup
C:\Documents and Settings\Nolan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-4c011a59.zip/BlackBox.class -> TrojanDropper.Beyond.g : Cleaned with backup
C:\Documents and Settings\Nolan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-4c011a59.zip/Beyond.class -> TrojanDropper.Beyond.g : Cleaned with backup
C:\Documents and Settings\Nolan\Cookies\nolan@112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Nolan\Cookies\nolan@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Nolan\Cookies\nolan@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Nolan\Cookies\nolan@adorigin[1].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\Documents and Settings\Nolan\Cookies\nolan@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Nolan\Cookies\nolan@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Nolan\Cookies\nolan@cz3.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Nolan\Cookies\nolan@cz4.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Nolan\Cookies\nolan@cz6.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Nolan\Cookies\nolan@cz7.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Nolan\Cookies\nolan@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Nolan\Cookies\nolan@download.com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Nolan\Cookies\nolan@e-2dj6wjnyukdpadp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Nolan\Cookies\nolan@image.masterstats[2].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Nolan\Cookies\nolan@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Nolan\Cookies\nolan@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Nolan\Cookies\nolan@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Nolan\Cookies\nolan@specificpop[1].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Documents and Settings\Nolan\Cookies\nolan@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\25DMRETC\CAODMV8X.htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\25DMRETC\CARYG7B9.htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\25DMRETC\setdata[1].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\25DMRETC\setdata[2].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\25DMRETC\setdata[3].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\25DMRETC\setdata[4].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\25DMRETC\SetData[5].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\25DMRETC\SetData[6].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\43FZQOHT\CAEF2ZAP.htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\43FZQOHT\CAWXEBS1.htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\43FZQOHT\CAZI8NVD.htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\43FZQOHT\netv[1].anr -> TrojanDownloader.Ani.c : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\43FZQOHT\setdata[1].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\43FZQOHT\setdata[2].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\43FZQOHT\setdata[3].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\43FZQOHT\setdata[4].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\43FZQOHT\setdata[5].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\43FZQOHT\SetData[6].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\6YT9MECM\count[2].htm -> TrojanDownloader.Inor.a : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\FMGF3DWH\CABUET7J.htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\FMGF3DWH\CAS5O90N.htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\FMGF3DWH\setdata[1].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\FMGF3DWH\setdata[2].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\FMGF3DWH\setdata[3].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\FMGF3DWH\setdata[4].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\FMGF3DWH\setdata[5].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\FMGF3DWH\SetData[6].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\FMGF3DWH\SetData[7].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\RZ97V5GW\CA7269FN.htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\RZ97V5GW\CAH0ETDJ.htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\RZ97V5GW\CAN6ETJJ.htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\RZ97V5GW\setdata[1].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\RZ97V5GW\setdata[2].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\RZ97V5GW\setdata[3].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\RZ97V5GW\setdata[4].htm -> Trojan.Smitfraud : Cleaned with backup
C:\Documents and Settings\Nolan\Local Settings\Temporary Internet Files\Content.IE5\RZ97V5GW\SetData[5].htm -> Trojan.Smitfraud : Cleaned with backup
C:\WINDOWS\SYSTEM\sysapp.exe -> TrojanDownloader.Donn.a : Cleaned with backup
C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.2.0.007\npwthost.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.2.0.007\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup


::Report End



and here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:13:55 AM, on 11/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\P2P Downloads\hijack this\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F33C677E-379D-48A2-9B29-FDF1BA4E842C}: NameServer = 210.191.71.1 218.40.228.9
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol hijack: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol hijack: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6}
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - Protocol hijack: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O18 - Protocol hijack: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}
O20 - AppInit_DLLs: avpcc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE



Please take pity on me here I guys and spell it out simply for me- I really am feeling overwhelmed at this point.

thanks again
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools (or View)->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 98).
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Make sure you downloaded, installed, updated and ran these programs (run in Safe Mode) already - Ad-aware, Spybot and Ewido (only if you have Windows 2000 or XP). If you didn't, do them now. For more information, go to http://www.greyknigh...com/spyware.htm

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Click on Start->Settings->Control Panel->Java Plug-in and click on the Cache tab. Then click on the Clear button and hit OK.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O20 - AppInit_DLLs: avpcc.dll


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\WildTangent\
avpcc.dll


Restart and run BOTH these scans:

Run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here. You may also use Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.

Restart and run a new HijackThis scan. Save the log file and post it here along with the Panda log.
  • 0

#3
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP