Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I am not sure what this Malware is [RESOLVED]


  • This topic is locked This topic is locked

#1
finito

finito

    Member

  • Member
  • PipPip
  • 15 posts
basically i get 2 different pop ups 1 is from IE, the other is windowless as if a flash advert. anyway hereis the Hijack log

Logfile of HijackThis v1.99.1
Scan saved at 12:47:19 PM, on 10/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ares Lite Edition\AresLite.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\ActiveState Perl Dev Kit 6.0\bin\pdkdebug.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [sp2update] c:\windows\sp2update00.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\s6rslg9716.dll
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Finito\Desktop\cwshredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PDK Debug Listener (pdkdebug) - ActiveState - C:\Program Files\ActiveState Perl Dev Kit 6.0\bin\pdkdebug.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Then..

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply together with a new hijackthislog.

  • 0

#3
finito

finito

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
WOW very fast reply. um what am i infected by? (doesnt matter as long as i get rid of it). Here you go:

(spysweeper said couldnt cleen smthing and had to restart to clean, this happened twice but second time i pressed restart b4 i could save log, so i did scanned again it didnt find anything. it also asked me to send report twice about something trying to "possibilly" download spyware i pressed send report on both, but they failed).

********
3:39 PM: | Start of Session, Friday, October 21, 2005 |
3:39 PM: Spy Sweeper started
3:39 PM: Sweep initiated using definitions version 559
3:39 PM: Starting Memory Sweep
3:40 PM: Found Adware: icannnews
3:40 PM: Detected running threat: C:\WINDOWS\system32\lvl4093qe.dll (ID = 83)
3:41 PM: Memory Sweep Complete, Elapsed Time: 00:01:07
3:41 PM: Starting Registry Sweep
3:41 PM: Found Adware: sp2ms
3:41 PM: HKLM\software\microsoft\windows\currentversion\run\ || sp2update (ID = 787992)
3:41 PM: Found Adware: cws-aboutblank
3:41 PM: HKU\S-1-5-21-484763869-1004336348-725345543-1003\software\microsoft\internet explorer\main\ || start page (ID = 911091)
3:41 PM: Registry Sweep Complete, Elapsed Time:00:00:04
3:41 PM: Starting Cookie Sweep
3:41 PM: Found Spy Cookie: 64.62.232 cookie
3:41 PM: finito@64.62.232[2].txt (ID = 1987)
3:41 PM: finito@64.62.232[3].txt (ID = 1987)
3:41 PM: Found Spy Cookie: go.com cookie
3:41 PM: finito@abc.go[2].txt (ID = 2729)
3:41 PM: Found Spy Cookie: hbmediapro cookie
3:41 PM: finito@adopt.hbmediapro[2].txt (ID = 2768)
3:41 PM: finito@go[2].txt (ID = 2728)
3:41 PM: Found Spy Cookie: metareward.com cookie
3:41 PM: finito@metareward[2].txt (ID = 2990)
3:41 PM: Found Spy Cookie: nextag cookie
3:41 PM: finito@nextag[1].txt (ID = 5014)
3:41 PM: finito@rsi.abc.go[1].txt (ID = 2729)
3:41 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
3:41 PM: Starting File Sweep
3:41 PM: Found Adware: ist yoursitebar
3:41 PM: ysbinstall_1003585[1].exe.tcf (ID = 166206)
3:41 PM: ysbinstall_1003585.exe.tcf (ID = 166206)
3:41 PM: Found Adware: ist istbar
3:41 PM: istbar_mainstream[1].dll (ID = 158576)
3:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:42 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:42 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:43 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:44 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:44 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:49 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:49 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:51 PM: File Sweep Complete, Elapsed Time: 00:10:30
3:51 PM: Full Sweep has completed. Elapsed time 00:11:45
3:51 PM: Traces Found: 14
3:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:54 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:54 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:54 PM: Removal process initiated
3:54 PM: Quarantining All Traces: cws-aboutblank
3:54 PM: Quarantining All Traces: icannnews
3:54 PM: icannnews is in use. It will be removed on reboot.
3:54 PM: C:\WINDOWS\system32\lvl4093qe.dll is in use. It will be removed on reboot.
3:54 PM: Quarantining All Traces: ist istbar
3:54 PM: Quarantining All Traces: ist yoursitebar
3:54 PM: Quarantining All Traces: sp2ms
3:54 PM: Quarantining All Traces: 64.62.232 cookie
3:54 PM: Quarantining All Traces: go.com cookie
3:54 PM: Quarantining All Traces: hbmediapro cookie
3:54 PM: Quarantining All Traces: metareward.com cookie
3:54 PM: Quarantining All Traces: nextag cookie
3:54 PM: Removal process completed. Elapsed time 00:00:26
********
3:13 PM: | Start of Session, Friday, October 21, 2005 |
3:13 PM: Spy Sweeper started
3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:15 PM: Your spyware definitions have been updated.
3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
3:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
**************************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 4:32:08 PM, on 10/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ares Lite Edition\AresLite.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\ActiveState Perl Dev Kit 6.0\bin\pdkdebug.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PDK Debug Listener (pdkdebug) - ActiveState - C:\Program Files\ActiveState Perl Dev Kit 6.0\bin\pdkdebug.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe



I think it worked no more popups and the processes list is smaller :tazz: but if you see smthing that may prove to be a problem please tell me
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

Yes, it seems like we got it. :tazz:
Please run Spysweeper once again, because there must be still one file present in your System32-folder which must get deleted.. So spysweeper will take care of that one also now. :)

The infection you were dealing with was Look2me, a nasty infection which caused those popups and is actually hard to remove.

I also want you to perform next:

Please download NTrights.zip by freeatlast which contains a copy of NTrights and a .bat file to reset the DebugPrivilege.
Double click on the .bat file to run it, follow any prompts it asks. It will produce a log.txt.
Save this log.

I also see you have probably some items disabled via Msconfig > startup.
It could be possible that some bad entries are still present there. Bad entries need to go and not disabled. So I want you to perform next also:

Open notepad and copy and paste next bold in it:

regedit /e startup.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
start notepad startup.txt


Save this as look.bat , choose to save as *all files and place it on your desktop.
This is how the batch must look after you created it: Posted Image
Doubleclick on look.bat and post the contents of it in your next reply together with the log.txt you saved earlier from Ntrights.

Edited by miekiemoes, 21 October 2005 - 06:54 AM.

  • 0

#5
finito

finito

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Spysweeper found nothin.

this from NTrights

Granting SeDebugPrivilege to Administrators ... successful

Fri Oct 21 20:55:40 2005 -- done

btw somthing wrong with the link i had to google it, the link gave me a curropted copy.

No i made sure i enabled everything in MSconfig as per instructed by the sticky "You Must Read This Before Posting A Hijackthis Log, Required steps before posting your log" i just checked it thought its a bit messed up there are blanks for names now which wasnt like that.

from look.bat
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

P.S. No more popups
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

I think we fixed it. :tazz:

About the msconfig.... this is odd. I mean, when I compare your first and your second Hijackthislog, I see some entries (O4-lines) missing in the second log which are legit. I saw the Msconfig, so you must have disabled them there. Unless you fixed those entries in hijackthis.
According to the export of the startupreg-key (which is the key that contains the programs that are disabled via msconfig), it is empty, so everything must be enabled.
So I assume you enabled everything again?

Can you post a final hijackthislog as a last checkup?
  • 0

#7
finito

finito

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Logfile of HijackThis v1.99.1
Scan saved at 11:02:36 PM, on 10/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ares Lite Edition\AresLite.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\ActiveState Perl Dev Kit 6.0\bin\pdkdebug.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PDK Debug Listener (pdkdebug) - ActiveState - C:\Program Files\ActiveState Perl Dev Kit 6.0\bin\pdkdebug.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

here you go
and thanks you are gr8!!!!11
  • 0

#8
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Looks good. I see that the startupitems are indeed enabled again, that explains the empty startupreg-key. :tazz:

You may check and fix this entry in your log:

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Just a leftover of a previous BSOD you got.

How are things running now?

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Avoid illegal sites, because that's where most malware is present.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft...xp/iesecxp.mspx

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again! :)
  • 0

#9
finito

finito

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
thanks for ur help ur were very fast with the responses. if any1 was slow it was me :).
Thank you once again i will folow ur steps to keep my pc clean.

:tazz:
  • 0

#10
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP