[wolfen]

Need help,trying to clean my box. Ran adaware,spybot,highjackthis,cwshreader.
Thats as far as my knowledge will take me. Thats why i need your help.
Logfile of HijackThis v1.98.2
Scan saved at 5:31:16 PM, on 1/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
E:\etrust\ISafe.exe
F:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
F:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
F:\WINDOWS\System32\svchost.exe
E:\etrust\VetMsg.exe
F:\Program Files\Common Files\WinTools\WToolsS.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Analog Devices\SoundMAX\SMTray.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\etrust\CAVTray.exe
E:\etrust\CAVRID.exe
F:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
F:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - F:\WINDOWS\ZServ.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - F:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - F:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O4 - HKLM\..\Run: [Smapp] F:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CaAvTray] "E:\etrust\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "E:\etrust\CAVRID.exe"
O4 - HKLM\..\Run: [WinTools] F:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093185779154
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

Surf sidekick2 was on there ,but ,now its not showing up. Can you help.

[Advertisements]

Sorry i didn`t see,the read before posting log file. I will do that .Sorry again

[wolfen]

Sorry i didn`t see,the read before posting log file. I will do that .Sorry again

[-=jonnyrotten=-]

Go to control panel, add/remove programs and uninstall the following:

Wintools
Surf Sidekick

You may wish to print out a copy of these instructions to follow while you complete this procedure.
Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - F:\WINDOWS\ZServ.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - F:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - F:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll
O4 - HKLM\..\Run: [WinTools] F:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

F:\WINDOWS\ZServ.dll
F:\PROGRA~1\COMMON~1\WinTools

Reboot normally download the latest version of Hijack This and post a new log.

Click Here download the latest version of Hijack This (1.99.0). It's better able to catch the latest threats.

-=jonnyrotten=-

[wolfen]

jonnyrotten,
Thanks man,i think that straightened out the problem.

[-=jonnyrotten=-]

Sweet, if you post another log we can double check it for ya.

-=jonnyrotten=-

[wolfen]

Here is the latest
Logfile of HijackThis v1.99.0
Scan saved at 2:32:50 PM, on 1/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
E:\etrust\ISafe.exe
F:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
F:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
F:\WINDOWS\System32\svchost.exe
E:\etrust\VetMsg.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Analog Devices\SoundMAX\SMTray.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\etrust\CAVTray.exe
E:\etrust\CAVRID.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Outlook Express\msimn.exe
F:\Program Files\Messenger\msmsgs.exe
C:\Program Files\hijack this\HijackThis.exe199.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Smapp] F:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CaAvTray] "E:\etrust\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "E:\etrust\CAVRID.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093185779154
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\etrust\ISafe.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - F:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - E:\etrust\VetMsg.exe


Haven`t been getting any popups.What do you think. jonnyrotten???

[-=jonnyrotten=-]

Congratulations! Your system is CLEAN

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.  Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.  Restrict the actions of potentially dangerous sites in Internet Explorer.  Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox .
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats.

-=jonnyrotten=-