Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Am I clear? [RESOLVED]

Started by nore , Oct 25 2005 06:18 AM

  • This topic is locked This topic is locked

#1
nore
Posted 25 October 2005 - 06:18 AM

nore

    New Member

  • Member
  • Pip
  • 6 posts
I have followed your instructions so far...

My hijackthis log...

Logfile of HijackThis v1.99.1
Scan saved at 11:24:03, on 25/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ltmsg.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.racingpos.../news/splash.sd
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eircom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iol.ie
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.eircom.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O4 - Global Startup: WorldAntiSpy.lnk = C:\Program Files\WorldAntiSpy\WorldAntiSpy.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save to &KBase... - file:C:\Program Files\netXtract\SaveToKBmenu.dll
O9 - Extra button: iOpus Internet Macros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program

Files\InternetMacros3\imacros.dll (file missing)
O9 - Extra button: netXtract® - {1FB62888-D13A-11d3-AF5D-00C0DF647817} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: DigiChat Applet - http://www.irishhost..._IE_5_0_1_7.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.micros...b?1130188046620
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.micros...b?1130186971622
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{861AC6D6-EC38-42B2-9EE0-50558B24C7C8}: NameServer = 194.145.128.1 194.125.2.206
O20 - AppInit_DLLs: sysmain.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

ewido scan report...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:46:22, 25/10/2005
+ Report-Checksum: C0342FBA

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
C:\Documents and Settings\GerD\Local Settings\Temp\132668_3368_1568_3408.16323.tmp -> Trojan.Krepper.ao : Cleaned with backup
C:\Documents and Settings\GerD\Local Settings\Temp\1442038_1380_2160_2712.25292.tmp -> Trojan.Krepper.ao : Cleaned with backup
C:\Documents and Settings\GerD\Local Settings\Temp\1507642_548_1560_1904.12146.tmp -> Trojan.Krepper.ao : Cleaned with backup
C:\Documents and Settings\GerD\Local Settings\Temp\1508596_3368_1568_3996.26298.tmp -> Trojan.Krepper.ao : Cleaned with backup
C:\Documents and Settings\GerD\Local Settings\Temp\196922_3539864_1552_3539864.28774.tmp -> Trojan.Krepper.ao : Cleaned with backup
C:\Documents and Settings\GerD\Local Settings\Temp\197538_2872_1548_3512.23504.tmp -> Trojan.Krepper.ao : Cleaned with backup
C:\Documents and Settings\GerD\Local Settings\Temp\21561882_2808_2160_3008.9411.tmp -> Trojan.Krepper.ao : Cleaned with backup
C:\Documents and Settings\GerD\Local Settings\Temp\262416_1256_1556_1892.9787.tmp -> Trojan.Krepper.ao : Cleaned with backup
C:\Documents and Settings\GerD\Local Settings\Temp\262762_1832_2160_2216.11196.tmp -> Trojan.Krepper.ao : Cleaned with backup
C:\Documents and Settings\GerD\Local Settings\Temp\327930_1242300_1556_2144.19200.tmp -> Trojan.Krepper.ao : Cleaned with backup
C:\Documents and Settings\GerD\Local Settings\Temp\3474714_2872_1548_3524.263.tmp -> Trojan.Krepper.ao : Cleaned with backup
C:\Documents and Settings\GerD\Local Settings\Temp\460040_548_1560_2200.4939.tmp -> Trojan.Krepper.ao : Cleaned with backup
C:\Documents and Settings\GerD\Local Settings\Temp\5177610_3304_1568_2796.23977.tmp -> Trojan.Krepper.ao : Cleaned with backup
C:\Documents and Settings\GerD\Local Settings\Temp\66170_1256_1556_1884.20823.tmp -> Trojan.Krepper.ao : Cleaned with backup
C:\Documents and Settings\GerD\Local Settings\Temp\66952_548_1560_2212.25411.tmp -> Trojan.Krepper.ao : Cleaned with backup
C:\Documents and Settings\GerD\Local Settings\Temp\787452_3368_1568_3332.16061.tmp -> Trojan.Krepper.ao : Cleaned with backup
C:\Documents and Settings\GerD\Local Settings\Temp\918028_2808_2160_3644.873.tmp -> Trojan.Krepper.ao : Cleaned with backup
C:\Documents and Settings\GerD\Local Settings\Temp\diaB.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\Documents and Settings\GerD\Local Settings\Temporary Internet Files\Content.IE5\6DPAJMTK\itshta[1].exe -> Trojan.Small.cr : Cleaned with backup
C:\Documents and Settings\GerD\Local Settings\Temporary Internet Files\Content.IE5\O16J4XU7\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\GerD\Local Settings\Temporary Internet Files\Content.IE5\X8X5RRJG\gdnIE1862[1].exe -> TrojanDownloader.Small.ayl : Cleaned with backup
C:\eied_s7.cab/eied_s7_c_153.exe -> TrojanDownloader.Mediket.ab : Cleaned with backup
C:\RECYCLER\S-1-5-21-1194005503-2552189465-2221179514-1006\Dc17.exe -> Trojan.Small.cr : Cleaned with backup
C:\RECYCLER\S-1-5-21-1194005503-2552189465-2221179514-1006\Dc3.exe -> Trojan.Small.cr : Cleaned with backup
C:\RECYCLER\S-1-5-21-1194005503-2552189465-2221179514-1006\Dc4.exe -> Trojan.Small.cr : Cleaned with backup


::Report End
  • 0

Advertisements

#2
miekiemoes
Posted 25 October 2005 - 07:00 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

Any reason why your windows isn't up to date? You don't have even ServicePack1 installed!
Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems.
Please visit http://windowsupdate.microsoft.com and update to Service Pack 1.
When your system is clean afterwards, then update to SP2, because updating to SP2 CAN cause problems as long as you are infected.

The current formatting of your log makes it difficult to read, so in notepad:
On top, click Format >uncheck Word Wrap

Download swap.zip from next location:
http://forums.skads....hp?showtopic=81

(you'll find swap.zip as an attachement there)

Unzip the folder, but make sure all those files are still present in the same folder swap!!

Doubleclick swap.bat.
Don't worry, your computer will reboot by itself, so let it finish the job.

When rebooted...

Download Ad-aware version SE Personal 1.06 from one of these locations:

http://www.download....4-10045910.html
http://www.majorgeek...ownload506.html

Install by double-clicking on the downloaded file.
If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version. Be sure to uninstall the previous version.

1. Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon > Click connect > Click OK > Click Finish.)
2. Set up the Configurations as follows:
-- Click the Gear wheel at the top of the Ad-Aware window
-- Click General > Safety & Settings: Check (Green) all three.
-- Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
3. Click "Proceed"
4. Click "Scan Now"
5. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6. Select "Search for low-risk threats"
7. Run the scanner using the Full Scan (Perform full system scan) mode.
8. When the scan has completed, select Next.
9. In the Scanning Results window, select the "Scan Summary" tab.
10. Check the box next to each "target family" you wish to remove.
11. Click next > Click OK.
12. Reboot your computer and post a new hijackthislog
  • 0

#3
nore
Posted 25 October 2005 - 10:44 AM

nore

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
hi miek',

thanks for your reply...

i have followed the links re windows updates and they dont seem to think i need any updates!

any more specific location for this service package i need to download?

thanks
  • 0

#4
miekiemoes
Posted 25 October 2005 - 01:21 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

Oh yes you need the updates, you don't have even SP1 installed.

Can you perform next please?

Please go HERE (Microsoft website) using Internet Explorer (not Firefox or any other browser as they won't work)

* Click on Windows Validation Assistant
* Click on the Validate Now button.
* Be patient while the ActiveX loads, do not click on any links.
* Read the instructions on this page while it's loading. You will be prompted to install - click YES.
* Enter your product key then click continue
* When it says "Validation Complete" please click Continue to return to your previous activity
* Copy what it says and paste it here.
  • 0

#5
nore
Posted 25 October 2005 - 05:11 PM

nore

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thank you for running the Windows Validation Assistant. It appears that your Windows Product Key is valid.

This is a strong indicator that your operating system is genuine, however the Windows Validation Assistant cannot make a final determination.


To verify that you received a genuine Certificate of Authenticity and software CD, compare your anti-piracy features in the next section.


Compare Your Anti-Piracy Features
Select the method by which you acquired Windows and compare the anti-piracy features included with your product with the anti-piracy features included with genuine Microsoft software.
  • 0

#6
miekiemoes
Posted 25 October 2005 - 05:33 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Ok, we'll take a look at that afterwards.
Have you already performed my other steps?

The current formatting of your log makes it difficult to read, so in notepad:
On top, click Format >uncheck Word Wrap

Download swap.zip from next location:
http://forums.skads....hp?showtopic=81

(you'll find swap.zip as an attachement there)

Unzip the folder, but make sure all those files are still present in the same folder swap!!

Doubleclick swap.bat.
Don't worry, your computer will reboot by itself, so let it finish the job.

When rebooted...

Download Ad-aware version SE Personal 1.06 from one of these locations:

http://www.download....4-10045910.html
http://www.majorgeek...ownload506.html

Install by double-clicking on the downloaded file.
If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version. Be sure to uninstall the previous version.

1. Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon > Click connect > Click OK > Click Finish.)
2. Set up the Configurations as follows:
-- Click the Gear wheel at the top of the Ad-Aware window
-- Click General > Safety & Settings: Check (Green) all three.
-- Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
3. Click "Proceed"
4. Click "Scan Now"
5. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6. Select "Search for low-risk threats"
7. Run the scanner using the Full Scan (Perform full system scan) mode.
8. When the scan has completed, select Next.
9. In the Scanning Results window, select the "Scan Summary" tab.
10. Check the box next to each "target family" you wish to remove.
11. Click next > Click OK.
12. Reboot your computer and post a new hijackthislog


  • 0

#7
nore
Posted 26 October 2005 - 07:45 AM

nore

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello there...

Logfile of HijackThis v1.99.1
Scan saved at 14:33:31, on 26/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ltmsg.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.racingpos.../news/splash.sd
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eircom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iol.ie
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.eircom.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save to &KBase... - file:C:\Program Files\netXtract\SaveToKBmenu.dll
O9 - Extra button: iOpus Internet Macros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program

Files\InternetMacros3\imacros.dll (file missing)
O9 - Extra button: netXtract® - {1FB62888-D13A-11d3-AF5D-00C0DF647817} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: DigiChat Applet - http://www.irishhost..._IE_5_0_1_7.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.micros...b?1130188046620
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.micros...b?1130186971622
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{861AC6D6-EC38-42B2-9EE0-50558B24C7C8}: NameServer = 194.145.128.1 194.125.2.206
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

#8
miekiemoes
Posted 26 October 2005 - 08:49 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

You forgot this part:

The current formatting of your log makes it difficult to read, so in notepad:
On top, click Format >uncheck Word Wrap


* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O9 - Extra button: netXtract® - {1FB62888-D13A-11d3-AF5D-00C0DF647817} - C:\WINDOWS\System32\shdocvw.dll

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

according to your Windows Update, let's see if there are some policies set that can cause this.

Open notepad and copy and paste next bold in it:

regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center"
regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
regedit /e peek3.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update"
type peek1.txt >> look.txt
type peek2.txt >> look.txt
type peek3.txt >> look.txt
del peek*.txt
start notepad look.txt

Save this as look.bat , choose to save as *all files and place it on your desktop.
This is how the batch must look afterwards: Posted Image
Doubleclick look.bat and notepad will open with some text in it. Copy and paste the content in your next reply.
  • 0

#9
nore
Posted 26 October 2005 - 09:08 AM

nore

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"AUOptions"=dword:00000002
"DetectionStartTime"="2005.10.24 16:56:21"
"NextDetectionTime"="2005-10-26 16:12:16"
"UnableToDetectTime"="2005-10-25 08:24:34"
"BalloonTime"="2005-10-26 11:06:50"
"BalloonType"=dword:00000004
  • 0

#10
miekiemoes
Posted 26 October 2005 - 09:20 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Those are OK and I see no extra policies set that could restrict you from updating.

I think you did something wrong to retreive the updates though, so please read this tutorial how to update windows:

http://www.lancs.ac....dows/update.htm
and here with even more pictures:
http://www.colby-saw...dowsupdate.html

How are things running now? Problems solved with win-eto?
  • 0

#11
nore
Posted 26 October 2005 - 10:58 AM

nore

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
hiya,

win-eto.com has not been insisting for a few days now...

thanks for your help, you are very good

Edited by nore, 26 October 2005 - 10:59 AM.

  • 0

#12
miekiemoes
Posted 26 October 2005 - 11:02 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Good and glad I could help you. :tazz:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Avoid illegal sites, because that's where most malware is present.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft...xp/iesecxp.mspx

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again! :)
  • 0

#13
miekiemoes
Posted 30 October 2005 - 01:02 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP