Please run activescan again, this time scanning My Computer. I think it's the first option. Give me both logs. It is still there, but I want to clean up the excess junk before we tackle it again. You are doing a great job.
Winfixer popup [resolved]
Started by
dcohen106
, Sep 20 2005 06:17 PM
#16
Posted 27 September 2005 - 07:58 PM
coachwife6
-
- Retired Staff
-
- 11,413 posts
SuperStar
Please run activescan again, this time scanning My Computer. I think it's the first option. Give me both logs. It is still there, but I want to clean up the excess junk before we tackle it again. You are doing a great job.
#17
Posted 28 September 2005 - 05:21 AM
dcohen106
- Topic Starter
-
- Member
-
- 67 posts
Member
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 7:16:47 AM, 9/28/2005
+ Report-Checksum: F63B45A8
+ Scan result:
C:\!Submit\bakexp.dll -> Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\David\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\David\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
::Report End
Incident Status Location
Spyware:spyware/whazit No disinfected C:\WINDOWS\SYSTEM32\fiz1
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\biini.inf
Adware:adware/ncase No disinfected C:\WINDOWS\msbb.exe.temp
Adware:adware/savenow No disinfected Windows Registry
Spyware:Spyware/Virtumonde No disinfected C:\!Submit\bakexp.dll
Dialer:Dialer.TY No disinfected C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-17c1588b.zip[winmodem.exe]
Adware:Adware/BlazeFind No disinfected C:\Documents and Settings\David\Application Data\Tenebril\GhostSurf\3.0\Spyware history\Restore\08914dc79e02d2f7fa810a51973c9a20
Adware:Adware/Iagold No disinfected C:\Documents and Settings\David\Application Data\Tenebril\GhostSurf\3.0\Spyware history\Restore\110b63c0badfca8d62d7b541de494e92
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\inf\bi6.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\biini.inf
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 7:16:47 AM, 9/28/2005
+ Report-Checksum: F63B45A8
+ Scan result:
C:\!Submit\bakexp.dll -> Spyware.Virtumonde : Cleaned with backup
C:\Documents and Settings\David\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\David\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
::Report End
Incident Status Location
Spyware:spyware/whazit No disinfected C:\WINDOWS\SYSTEM32\fiz1
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\biini.inf
Adware:adware/ncase No disinfected C:\WINDOWS\msbb.exe.temp
Adware:adware/savenow No disinfected Windows Registry
Spyware:Spyware/Virtumonde No disinfected C:\!Submit\bakexp.dll
Dialer:Dialer.TY No disinfected C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-17c1588b.zip[winmodem.exe]
Adware:Adware/BlazeFind No disinfected C:\Documents and Settings\David\Application Data\Tenebril\GhostSurf\3.0\Spyware history\Restore\08914dc79e02d2f7fa810a51973c9a20
Adware:Adware/Iagold No disinfected C:\Documents and Settings\David\Application Data\Tenebril\GhostSurf\3.0\Spyware history\Restore\110b63c0badfca8d62d7b541de494e92
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\inf\bi6.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\biini.inf
#18
Posted 28 September 2005 - 09:14 PM
coachwife6
-
- Retired Staff
-
- 11,413 posts
SuperStar
Boot into safe mode and find these files and folders and delete them:
C:\WINDOWS\SYSTEM32\fiz1
C:\WINDOWS\INF\biini.inf
C:\WINDOWS\msbb.exe.temp
C:\!Submit\bakexp.dll
C:\WINDOWS\inf\bi6.inf
C:\WINDOWS\SYSTEM32\fiz1
C:\WINDOWS\INF\biini.inf
C:\WINDOWS\msbb.exe.temp
C:\!Submit\bakexp.dll
C:\WINDOWS\inf\bi6.inf
#19
Posted 29 September 2005 - 04:42 PM
dcohen106
- Topic Starter
-
- Member
-
- 67 posts
Member
C:\!Submit\bakexp.dll is not in the folder... but the other one is. vtsts.dll Do you want me to delte it.. and if i cant boot into safe mode what can i do. everytime i get a black screen with safe mode in the corners like i am supossed to but no icons show up and no start menu appears. The question asking if u want to continue in safe mode pops up and dissapears to quick for me to hit yes
Edit: And there are 13 fiz's do u want me to delete them all or just 1
And the biini has a biini.inf and a biini.pnf Delete just the inf or both
Edit: And there are 13 fiz's do u want me to delete them all or just 1
And the biini has a biini.inf and a biini.pnf Delete just the inf or both
Edited by dcohen106, 29 September 2005 - 04:45 PM.
#20
Posted 29 September 2005 - 08:28 PM
coachwife6
-
- Retired Staff
-
- 11,413 posts
SuperStar
I am so sorry...it seems like we keep missing each other. Remember when I told you we would get rid of ne vundo ....let's see if we can get rid of the other one.
Please disable winpatrol, spycatcher and microsoft antispyware.
Please print these instructions out for use in Safe Mode.
* Double-click VundoFix.exe to extract the files
* This will create a VundoFix folder on your desktop.
* After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
* Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
* You will first be presented with a warning and a list of forums to seek help at.
it should look like this
* At this point press enter one time.
* Next you will see:
* At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\vtsts.dll
o Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
o Next you will see:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
o At this point please type the following file path (make sure to enter it exactly as below!):[list][/b]
This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
C:\WINDOWS\system32\ststv
* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
* The fix will run then HijackThis will open.
* In HiJackThis, please place a check next to the following items and click FIX CHECKED: (if they are there)
[b]
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\vtsts.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\SERVIC~1\i386\bakexp.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O20 - Winlogon Notify: bakexp - C:\WINDOWS\SERVIC~1\i386\bakexp.dll
O20 - Winlogon Notify: vtsts - C:\WINDOWS\SYSTEM32\vtsts.dll
* After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
* Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
* Once your machine reboots please continue with the instructions below.
Download and install CleanUp!
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
It may ask you to reboot at the end, click NO.
Then, please run this online virus scan: ActiveScan
Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
Please disable winpatrol, spycatcher and microsoft antispyware.
Please print these instructions out for use in Safe Mode.
* Double-click VundoFix.exe to extract the files
* This will create a VundoFix folder on your desktop.
* After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
* Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
* You will first be presented with a warning and a list of forums to seek help at.
it should look like this
[color=blue]VundoFix V2.1 by Atri
By using VundoFix you agree that you are doing so at your own risk
This list of forums is provided as an example of where to go to obtain help!!
http://www.atribune.org/forums
http://www.247fixes.com/forums
http://www.geekstogo.com/forum
http://forums.net-integration.net
http://castlecops.com/forums.html
http://www.besttechie.net/forums
Press enter to continue....
* At this point press enter one time.
* Next you will see:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
* At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\vtsts.dll
o Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
o Next you will see:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
o At this point please type the following file path (make sure to enter it exactly as below!):[list][/b]
This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
C:\WINDOWS\system32\ststv
* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
* The fix will run then HijackThis will open.
* In HiJackThis, please place a check next to the following items and click FIX CHECKED: (if they are there)
[b]
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\vtsts.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\SERVIC~1\i386\bakexp.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O20 - Winlogon Notify: bakexp - C:\WINDOWS\SERVIC~1\i386\bakexp.dll
O20 - Winlogon Notify: vtsts - C:\WINDOWS\SYSTEM32\vtsts.dll
* After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
* Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
* Once your machine reboots please continue with the instructions below.
Download and install CleanUp!
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
It may ask you to reboot at the end, click NO.
Then, please run this online virus scan: ActiveScan
Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
#21
Posted 30 September 2005 - 09:15 PM
dcohen106
- Topic Starter
-
- Member
-
- 67 posts
Member
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Suspending PID 524 'smss.exe'
Threads [528][532][536]
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1564 'explorer.exe'
Killing PID 1564 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 620 'winlogon.exe'
Killing PID 620 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.
----------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:15:02 PM, on 9/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\SpyCatcher\DeleteSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skirmishleague.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.or...iveX/ofmctl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Tenebril antispyware satellite (TNBRLDS) - Tenebril Inc. - C:\Program Files\SpyCatcher\DeleteSvc.exe
Copyright© 2002-2003 [email protected]
Suspending PID 524 'smss.exe'
Threads [528][532][536]
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1564 'explorer.exe'
Killing PID 1564 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 620 'winlogon.exe'
Killing PID 620 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.
----------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:15:02 PM, on 9/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\SpyCatcher\DeleteSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skirmishleague.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.or...iveX/ofmctl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Tenebril antispyware satellite (TNBRLDS) - Tenebril Inc. - C:\Program Files\SpyCatcher\DeleteSvc.exe
#22
Posted 30 September 2005 - 10:17 PM
coachwife6
-
- Retired Staff
-
- 11,413 posts
SuperStar
How are things running now?
#23
Posted 01 October 2005 - 07:04 AM
dcohen106
- Topic Starter
-
- Member
-
- 67 posts
Member
its running good, havent gotten ne popups from them. my comp is a little slow but i dont know why, i have 5GB free on my computer thinking it would run faster but i dont know why is isnt. Its not this spyware tho since i think it is gone, and this ActiveScan took so long, so i finally got it, i left it runnin when i went to bed.
Incident Status Location
Spyware:spyware/whazit No disinfected C:\WINDOWS\SYSTEM32\fiz1
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\biini.inf
Adware:adware/ncase No disinfected C:\WINDOWS\msbb.exe.temp
Adware:adware/savenow No disinfected Windows Registry
Dialer:Dialer.TY No disinfected C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-17c1588b.zip[winmodem.exe]
Adware:Adware/BlazeFind No disinfected C:\Documents and Settings\David\Application Data\Tenebril\GhostSurf\3.0\Spyware history\Restore\08914dc79e02d2f7fa810a51973c9a20
Adware:Adware/Iagold No disinfected C:\Documents and Settings\David\Application Data\Tenebril\GhostSurf\3.0\Spyware history\Restore\110b63c0badfca8d62d7b541de494e92
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\inf\bi6.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\biini.inf
Incident Status Location
Spyware:spyware/whazit No disinfected C:\WINDOWS\SYSTEM32\fiz1
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\biini.inf
Adware:adware/ncase No disinfected C:\WINDOWS\msbb.exe.temp
Adware:adware/savenow No disinfected Windows Registry
Dialer:Dialer.TY No disinfected C:\Documents and Settings\David\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-17c1588b.zip[winmodem.exe]
Adware:Adware/BlazeFind No disinfected C:\Documents and Settings\David\Application Data\Tenebril\GhostSurf\3.0\Spyware history\Restore\08914dc79e02d2f7fa810a51973c9a20
Adware:Adware/Iagold No disinfected C:\Documents and Settings\David\Application Data\Tenebril\GhostSurf\3.0\Spyware history\Restore\110b63c0badfca8d62d7b541de494e92
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\inf\bi6.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\biini.inf
#24
Posted 01 October 2005 - 08:44 PM
coachwife6
-
- Retired Staff
-
- 11,413 posts
SuperStar
Boot into safe mode and find these files and delete them.
C:\WINDOWS\SYSTEM32\fiz1
C:\WINDOWS\INF\<<entire folder
C:\WINDOWS\msbb.exe.temp
Please reset your restore points.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
C:\WINDOWS\SYSTEM32\fiz1
C:\WINDOWS\INF\<<entire folder
C:\WINDOWS\msbb.exe.temp
Please reset your restore points.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
#25
Posted 02 October 2005 - 06:01 AM
dcohen106
- Topic Starter
-
- Member
-
- 67 posts
Member
aitee, i did that and everything looks good. tyvm for you're help. If i need help in the future i hope you will be there again.
#26
Posted 02 October 2005 - 12:44 PM
coachwife6
-
- Retired Staff
-
- 11,413 posts
SuperStar
Since this topic is resolved, it will now be closed. If you are the topic starter and need it reopened, please PM a staff member.
he following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
he following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
- Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
- AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
- SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
- SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
- IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
- CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
- Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
- Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
- Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
- Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
