Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

"Your System Is Infected!" [RESOLVED]

Started by benny244 , Oct 02 2005 06:59 AM

This topic is locked

#1
benny244

Posted 02 October 2005 - 06:59 AM

Member

Member
31 posts

Hi.

This morning, my desktop background changed to blue with a black box on it, and inside the black box the words "YOUR SYSTEM IS INFECTED!" appear in big red letters. I've tried to change my desktop background back to what it was, but it seems I'm unable to. In addition, I'm getting countless pop-ups.

I've tried running such things as Ad-Aware and Spybot, but to no avail.

My HijackThis log reads as follows:

Logfile of HijackThis v1.99.1
Scan saved at 13:48:45, on 02/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntzp32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\DOCUME~1\BENLAU~1\LOCALS~1\Temp\4.tmp.exe
C:\Program Files\I8kfanGUI\i8kfangui.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\iefs32.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Documents and Settings\Ben Laughlin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kgzsq.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kgzsq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kgzsq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kgzsq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kgzsq.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kgzsq.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kgzsq.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {1D2B4801-A011-DCC7-6473-EE9347CFFA75} - C:\WINDOWS\crgg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {D880E649-6073-8D01-04CC-3F321F6D56A5} - C:\WINDOWS\addyu32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msrm.exe] C:\WINDOWS\system32\msrm.exe
O4 - HKLM\..\Run: [4.tmp] C:\DOCUME~1\BENLAU~1\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [4.tmp.exe] C:\DOCUME~1\BENLAU~1\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [iefs32.exe] C:\WINDOWS\iefs32.exe

If anyone can tell me how to rid my system of this, I'll appreciate it.

#2
Trevuren

Posted 02 October 2005 - 09:46 AM

Old Dog

Retired Staff
18,699 posts

Hi benny244 and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. If you haven't logged in go to Geeks to Go and do so. Then proceed to item a.

If you already have logged in, go directly to item a.

Click on My Controls at the top right hand corner of the window.
In the left hand column, click "View Topics"
If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. Please DELETE your current HJT program from its present location.

4. Download and run the following HijackThis autoinstall program from Here . Please choose the default location of C:\Program Files\ as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

Run HijackThis
Click SCAN and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')
POST the log into this thread using 'Add Reply'. Make sure you post the whole log this time. You omitted most of the log in your first post. (Ctrl-V to 'paste')

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

Regards,

Trevuren

#3
benny244

Posted 02 October 2005 - 09:58 AM

Member

Topic Starter
Member
31 posts

Trevuren, thanks very much for your prompt reply. This time I believe I've followed your instructions to the letter, so here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 16:55:26, on 02/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntzp32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\DOCUME~1\BENLAU~1\LOCALS~1\Temp\4.tmp.exe
C:\Program Files\I8kfanGUI\i8kfangui.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\iefs32.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kgzsq.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kgzsq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kgzsq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kgzsq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kgzsq.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kgzsq.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kgzsq.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {1D2B4801-A011-DCC7-6473-EE9347CFFA75} - C:\WINDOWS\crgg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {D880E649-6073-8D01-04CC-3F321F6D56A5} - C:\WINDOWS\addyu32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msrm.exe] C:\WINDOWS\system32\msrm.exe
O4 - HKLM\..\Run: [4.tmp] C:\DOCUME~1\BENLAU~1\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [4.tmp.exe] C:\DOCUME~1\BENLAU~1\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [iefs32.exe] C:\WINDOWS\iefs32.exe
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\i8kfangui.exe /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102084829453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DA6D13C-513F-434C-B18B-BBCFC64F3666}: NameServer = 194.74.65.69 194.72.9.34
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntzp32.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#4
Trevuren

Posted 02 October 2005 - 10:14 AM

Old Dog

Retired Staff
18,699 posts

Your system is infected with a variant of the About:Blank infection.

First we must STOP, and Disable a bad Added Service
- Click Start>Run and type in: services.msc
- Click OK
- In the Services window find: Network Security Service
- Select/highlight and right click the entry, and choose: Properties
- On the General tab, under Service Status click the Stop button
- Beside: Startup Type, in the drop menu, select: Disabled
- Click Apply, then OK
Download CWShredder
Click check for updates. Do not use it yet.
Download Aboutbuster 5
Unzip the file to its own folder (C:\AB) Do not use it yet.
Download: HomeSearchfix. Unzip it to your desktop. Do not use it yet.
Download Killbox
Choose save as to your desktop. Unzip the file. Do not use it yet.

Take care: some files can be hidden, so first go to start > control panel > folder options > view (tab) > mark “show hidden files en extensions >OK

Please print out these directions for in safe mode you will have to be disconnected from the internet. You should entirely disconnect (UNPLUG) from the internet!!!
Reboot your system intosafe mode for all OS
Close all windows and open HijackThis.
- Click "scan only” in the main window
- Put a checkmark beside the following entries and click “FIX checked”.
  
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kgzsq.dll/sp.html#93256
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kgzsq.dll/sp.html#93256
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kgzsq.dll/sp.html#93256
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kgzsq.dll/sp.html#93256
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kgzsq.dll/sp.html#93256
  R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kgzsq.dll/sp.html#93256
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kgzsq.dll/sp.html#93256
  R3 - Default URLSearchHook is missing
  O2 - BHO: Class - {1D2B4801-A011-DCC7-6473-EE9347CFFA75} - C:\WINDOWS\crgg.dll
  O2 - BHO: Class - {D880E649-6073-8D01-04CC-3F321F6D56A5} - C:\WINDOWS\addyu32.dll
  O4 - HKLM\..\Run: [4.tmp] C:\DOCUME~1\BENLAU~1\LOCALS~1\Temp\4.tmp.exe
  O4 - HKLM\..\Run: [4.tmp.exe] C:\DOCUME~1\BENLAU~1\LOCALS~1\Temp\4.tmp.exe
  O4 - HKLM\..\Run: [iefs32.exe] C:\WINDOWS\iefs32.exe
  O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntzp32.exe
Run CWShredder and choose FIX
Start AboutBuster and press START, and then OK. The program will start scanning.
Doubleclick HomeSearchfix.reg to merge the info to the registry. You will be prompted to accept the merge, answer YES.
Start Killbox
- Place a checkmark next to [x] Delete On Reboot.
- Highlight the following list and Copy it (Ctrl+C) to the windows clipboard.
  
  C:\WINDOWS\system32\ntzp32.exe
  C:\DOCUME~1\BENLAU~1\LOCALS~1\Temp\4.tmp.exe
  C:\WINDOWS\iefs32.exe
  C:\WINDOWS\kgzsq.dll
  C:\WINDOWS\crgg.dll
  C:\WINDOWS\addyu32.dll
- Back in Killbox, go > file > paste from clipboard,
- Click the red highlighted X button and click yes to the prompt when all the files have been pasted.
- Then click OK
- Exit Killbox and Reboot your PC.
After the reboot, Start AboutBuster AGAIN and scan AGAIN.
Clean temporary files:
- Go > start > run and type cleanmgr and OK
- Scan your system for files to remove.
- Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
- Click OK to remove those files.
- Click Yes to confirm deletion.
Reboot your system into normal mode.
Download Ewido scan
- Check for updates.
- Let it do a full run.
- Copy the log. Past it to a blank Notepad file and save it to post here.
Finally, run HijackThis, click SCAN, produce a LOG and POST it and the EWIDOscan log in this thread for review.

Regards,

Trevuren

#5
benny244

Posted 02 October 2005 - 10:32 AM

Member

Topic Starter
Member
31 posts

Began working through this, but got as far as the Aboutbuster 5 link, and found that the link isn't working.

#6
benny244

Posted 02 October 2005 - 10:52 AM

Member

Topic Starter
Member
31 posts

Is there anywhere else I can get this AboutBuster thing?

#7
Trevuren

Posted 02 October 2005 - 11:15 AM

Old Dog

Retired Staff
18,699 posts

The site is down apparently.

I will attach my copy to this post

Regards,

Trevuren

#8
benny244

Posted 02 October 2005 - 04:10 PM

Member

Topic Starter
Member
31 posts

Trevuren, thanks very much for all this.

I've followed your instructions. Only just finished, so I'm not yet sure if it's worked. My desktop is still blue, but it no longer has the black box telling me my system is infected. However, it still won't let me change the desktop image.

Here are the logs. Ewido...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 22:58:03, 02/10/2005
+ Report-Checksum: 7D636A26

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{33EBB320-A2D5-6FD7-6D31-BA458C872ABD} -> Spyware.CoolWebSearch : Cleaned with backup
C:\c.vbs -> TrojanDownloader.Small.f : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben laughlin@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben laughlin@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben laughlin@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben laughlin@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Ben Laughlin\Cookies\ben [email protected][2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\WINDOWS\desktop.html -> Spyware.Hijacker.Generic : Cleaned with backup

::Report End

...and HijackThis...

Logfile of HijackThis v1.99.1
Scan saved at 22:59:24, on 02/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\I8kfanGUI\i8kfangui.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\program Files\internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\i8kfangui.exe /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102084829453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DA6D13C-513F-434C-B18B-BBCFC64F3666}: NameServer = 194.74.65.69 194.72.9.34
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#9
Trevuren

Posted 02 October 2005 - 04:34 PM

Old Dog

Retired Staff
18,699 posts

Are you from Amsterdam? I am checking on some of the settings in your log. If you are not, some of your communications are being redirected through there.

Trevuren

#10
benny244

Posted 02 October 2005 - 04:54 PM

Member

Topic Starter
Member
31 posts

No, I'm in the UK.

And now that I've had more time to assess it, I think my system is working just fine! Thanks very much for helping me. I'll be making a donation to your PayPal account.

Any idea how I can fix my desktop image, so I can change it back to what I want it to be?

#11
Trevuren

Posted 02 October 2005 - 04:58 PM

Old Dog

Retired Staff
18,699 posts

Just a little bit longer Benny, we need to get rid of the TCPIP redirect to Amsterdam. :tazz:

Make sure you are disconnected from the Internet and that all programs and windows are closed.

Run HiJackThis. Place a check next to the following items and click FIX CHECKED:

O17 - HKLM\System\CCS\Services\Tcpip\..\{8DA6D13C-513F-434C-B18B-BBCFC64F3666}: NameServer = 194.74.65.69 194.72.9.34

Close HiJackThis.

Now lets check some settings on your system.

Go to Start > Control Panel and double-click on Network Connections
Then right click on your Default Connection
- Usually Local Area Connection for Cable and DSL
Left click on Properties.
Click the Networking tab.
Double-Click on the Internet Protocol (TCP/IP) item.
Select the radio dial that says Obtain DNS Servers Automatically.
Press OK twice to get out of the properties screen and reboot if it asks.

Make sure to reboot and post back a new HiJackThis log into this topic.

Regards,

Trevuren

#12
benny244

Posted 03 October 2005 - 11:37 AM

Member

Topic Starter
Member
31 posts

Hi.

I began to do this, but when I ran HijackThis and looked for...

O17 - HKLM\System\CCS\Services\Tcpip\..\{8DA6D13C-513F-434C-B18B-BBCFC64F3666}: NameServer = 194.74.65.69 194.72.9.34

...I found that it wasn't listed.

What should I do now? Do you want me to proceed with checking those settings?

Cheers
BEN

#13
Trevuren

Posted 03 October 2005 - 02:06 PM

Old Dog

Retired Staff
18,699 posts

Please post a fresh HJT log.

Thanks,

Trevuren

#14
benny244

Posted 03 October 2005 - 03:20 PM

Member

Topic Starter
Member
31 posts

Thanks. Here it is...

Logfile of HijackThis v1.99.1
Scan saved at 22:17:47, on 03/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\I8kfanGUI\i8kfangui.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\program Files\internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\i8kfangui.exe /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102084829453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DA6D13C-513F-434C-B18B-BBCFC64F3666}: NameServer = 194.74.65.69 194.72.9.34
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[bleep], that O17 thing is there now! I swear it wasn't there earlier! Should I just go ahead and follow your previous instructions?!

Cheers
BEN