Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Annoying Popups HELP!

Started by feNetic , Nov 09 2005 11:32 PM

  • This topic is locked This topic is locked

#1
feNetic
Posted 09 November 2005 - 11:32 PM

feNetic

    New Member

  • Member
  • Pip
  • 6 posts
hey guys im new here. lately i been getting alot of popups and i was wondering if anyone could check my HJT log please. thanks in advance.


Logfile of HijackThis v1.99.1
Scan saved at 4:30:48 PM, on 11/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\lsass.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sccvhost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Feng\Desktop\Anti-Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\awvtu.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Windows Update] sccvhost.exe
O4 - HKLM\..\RunServices: [Quick Time Video Codec] qtime32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] sccvhost.exe
O4 - HKLM\..\RunOnce: [Microsoft Windows Update] sccvhost.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] sccvhost.exe
O4 - HKCU\..\RunOnce: [Microsoft Windows Update] sccvhost.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/d.../int_ver32b.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {3A2B370C-BA0A-11D1-B137-0000F8753F5D} (Microsoft Chart Control 6.0 (SP4) (OLEDB)) - http://www.fangdi.com.cn/mschart.cab
O16 - DPF: {3D4843A9-3D1C-4F34-B3A2-FEA9AA7F42D6} (WebInsDV Control) - http://download.drvi...5_2/DrVirus.cab
O16 - DPF: {42B1C70D-9823-41F7-810A-682DA294D868} - ms-its:mhtml:file://c:\nosuxxx.mht!http://sxload.com/da...chm::/sload.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone.../ICSScanner.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spam...ckerutility.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BD0F9A7F-695B-4AF4-90E9-08C5DD12FA35} (AtlCtrl Class) - http://www.yesicon.com/start001.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: awtsp - awtsp.dll (file missing)
O20 - Winlogon Notify: awvtu - C:\WINDOWS\System32\awvtu.dll
O20 - Winlogon Notify: style2 - C:\WINDOWS\
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

Advertisements

#2
feNetic
Posted 09 November 2005 - 11:40 PM

feNetic

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
noone can help me?? i've tried usnig ad-aware and search & destroy but they did not fix the problem.. can someone PLEASE help me.
  • 0

#3
g2i2r4
Posted 10 November 2005 - 07:35 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome feNetic

You have a few very nice infections in there. Let's see what we can do in one go.

Do the advise exactly as posted. I will post my advises in different posts to be more clear.

***

Download win32delfkil.exe.
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.
Close all windows, open the win32delfkil folder and double click on fix.bat.
The computer will reboot automatically.

Post the contents of the logfile c\windelf.txt.
  • 0

#4
g2i2r4
Posted 10 November 2005 - 07:49 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Round 2:

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

Local Security Authority Subsystem Service

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

***

Download the Killbox version 2.0.0.473 .
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\lsass.exe
C:\WINDOWS\System32\sccvhost.exe

For these files, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Please print these instructions out for use in Safe Mode.
Please note: your Antivirus program may prompt you to a malicious script trying to run. Allow the entire script once.

Please download VundoFix.exe by Atribune© to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\awvtu.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\System32\utvwa.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED
    some entries may already be gone, due to our previously taken steps:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\awvtu.dll

    O4 - HKLM\..\Run: [Microsoft Windows Update] sccvhost.exe

    O4 - HKLM\..\RunServices: [Quick Time Video Codec] qtime32.exe

    O4 - HKLM\..\RunServices: [Microsoft Windows Update] sccvhost.exe

    O4 - HKLM\..\RunOnce: [Microsoft Windows Update] sccvhost.exe

    O4 - HKCU\..\Run: [Microsoft Windows Update] sccvhost.exe

    O4 - HKCU\..\RunOnce: [Microsoft Windows Update] sccvhost.exe

    O15 - Trusted Zone: *.sxload.com

    O16 - DPF: {42B1C70D-9823-41F7-810A-682DA294D868} - ms-its:mhtml:file://c:\nosuxxx.mht!http://sxload.com/da...chm::/sload.exe

    O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spam...ckerutility.cab

    O20 - Winlogon Notify: awtsp - awtsp.dll (file missing)

    O20 - Winlogon Notify: awvtu - C:\WINDOWS\System32\awvtu.dll

    O20 - Winlogon Notify: style2 - C:\WINDOWS\
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Run the Free use Panda Active Scan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log, the vundofix.txt file from the vundofix folder and the contents of the logfile c\windelf.txt into this topic.
  • 0

#5
feNetic
Posted 10 November 2005 - 09:04 AM

feNetic

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
First of all, thanks alot for helping me.. i have just finished doing all you have told me to do and heres the logs:

Results of the ActiveScan:


Incident Status Location

Spyware:spyware/smitfraud No disinfected C:\WINDOWS\SYSTEM32\wp.bmp
Adware:adware/elitebar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\v3.dll
Adware:adware/ist.yoursitebar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ysbactivex.dll
Adware:adware/powerscan No disinfected Windows Registry
Dialer:dialer.asl No disinfected HKEY_CLASSES_ROOT\CLSID\{0D62A517-E7C6-4E1F-A577-07D4AC549A48}
Adware:adware/ist.istbar No disinfected Windows Registry
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Jump ref link bat\32mode.exe
Hacktool:Nuker Program No disinfected C:\Documents and Settings\Feng\Desktop\My Stuff\MirC Scripts\dx4[1].zip[vai-te~1.exe]
Spyware:Spyware/Smitfraud No disinfected C:\Program Files\AVPersonal\INFECTED\A0000271.EXE.VIR
Spyware:Spyware/Smitfraud No disinfected C:\Program Files\AVPersonal\INFECTED\A0000315.EXE.VIR
Spyware:Spyware/Smitfraud No disinfected C:\Program Files\AVPersonal\INFECTED\A0001792.EXE.VIR
Adware:Adware/nCase No disinfected C:\Program Files\AVPersonal\INFECTED\INIT[1].JS.VIR
Adware:Adware/EliteBar No disinfected C:\WINDOWS\Downloaded Program Files\v3.dll
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\pumba2.dll
Adware:Adware/AzeSearch No disinfected C:\WINDOWS\pumba3.dll


HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 1:48:40 AM, on 11/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\awvtu.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Windows Update] sccvhost.exe
O4 - HKLM\..\RunServices: [Quick Time Video Codec] qtime32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] sccvhost.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] sccvhost.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/d.../int_ver32b.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {3A2B370C-BA0A-11D1-B137-0000F8753F5D} (Microsoft Chart Control 6.0 (SP4) (OLEDB)) - http://www.fangdi.com.cn/mschart.cab
O16 - DPF: {3D4843A9-3D1C-4F34-B3A2-FEA9AA7F42D6} (WebInsDV Control) - http://download.drvi...5_2/DrVirus.cab
O16 - DPF: {42B1C70D-9823-41F7-810A-682DA294D868} - ms-its:mhtml:file://c:\nosuxxx.mht!http://sxload.com/da...chm::/sload.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone.../ICSScanner.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spam...ckerutility.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BD0F9A7F-695B-4AF4-90E9-08C5DD12FA35} (AtlCtrl Class) - http://www.yesicon.com/start001.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: awvtu - C:\WINDOWS\System32\awvtu.dll (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



vundofix.txt:

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\System32\awvtu.dll

The second filepath entered was C:\WINDOWS\System32\utvwa.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 140 'smss.exe'

Killing PID 708 'explorer.exe'


Killing PID 212 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\System32\awvtu.dll Deleted sucessfully.
C:\WINDOWS\System32\utvwa.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------


windelf.txt:


************************
* WIN32DELFKIL LOGFILE *
************************


BEFORE RUNNING WIN32DELFKIL
***************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
{6AC3806F-8B39-4746-9C38-6B01CB7331FF} REG_SZ Memory monitor

Notify key
----------
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\style2 is present!



AFTER RUNNING WIN32DELFKIL
**************************

File(s) found in Windows directory
----------------------------------

File(s) found in system32 folder
--------------------------------

SharedTaskScheduler key
-----------------------

SteelWerX Registry Console Tool 1.0
Written by Bobbi Flekman © 2005

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
{438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
{8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon

Notify key
----------


i have an extra 2 questions for you if you don't mind.

1. What does the svvhost.exe do to my computer?

2. Everytime i open up C: my AntiVir picks up:

C:\USBDR.EXE

Contains signature of the dropper DR/Agent.zt

and everytime i delete it, it'll just come back again.

Thanks again.
  • 0

#6
g2i2r4
Posted 10 November 2005 - 09:15 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Let's see what it is:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
    • C:\USBDR.EXE
  • Click on the submit button
  • Please post the results in your next reply.
***

Did you do the Killbox and HijackThis part of the advise? If not, please do them now. I'll prepare for round 3.
  • 0

#7
g2i2r4
Posted 10 November 2005 - 09:19 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!


Please download noahdfear's smitRem.exe©. Save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop.

***

Please download the trial version of ewido security suite.Install ewido security suite
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

Launch ewido, there should be an icon on your desktop double-click it.
The program will prompt you to update click the OK button

The program will now go to the main screen
You will need to update ewido to the latest definition files.On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed, close Ewido for now.

***

If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.

***

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\Documents and Settings\Feng\Desktop\My Stuff\MirC Scripts\dx4[1].zip
C:\WINDOWS\pumba3.dll
C:\WINDOWS\pumba2.dll
C:\WINDOWS\DOWNLOADED PROGRAM FILES\ysbactivex.dll
C:\WINDOWS\DOWNLOADED PROGRAM FILES\v3.dll

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If your computer does not restart automatically, please restart it manually.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back.

***

Open Ad-aware and do a full scan. Remove all it finds.

***

Now open Ewido Security Suite:* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
Reboot your computer.

***

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

***

Reboot back into Windows
You will need to allow the popups for this site!

Run the Free use Panda Active Scan.
  • Click on Scan your PC. A new browser window will open with Panda ActiveScan. If this is the first time you scan your PC, you'll have to download the ActiveX controls (8 MB).
  • A new window will open
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When the download is complete, click on my computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.

Edited by g2i2r4, 10 November 2005 - 09:20 AM.

  • 0

#8
feNetic
Posted 10 November 2005 - 10:50 PM

feNetic

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts

Let's see what it is:

  • Please go to Jotti's malware scan

  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
    • C:\USBDR.EXE
  • Click on the submit button

  • Please post the results in your next reply.
***

Did you do the Killbox and HijackThis part of the advise? If not, please do them now. I'll prepare for round 3.


I did everything you told me to do in "Round 2" and have already posted the logs.
heres the Malware Scan Results:

Scanner results
AntiVir Found Dropper/Agent.zt
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Dropper.Agent.VC
BitDefender Found Dropped:Trojan.Dropper.ConHook.N
ClamAV Found nothing
Dr.Web Found Trojan.LowZones.130, Trojan.DownLoader.4412, Trojan.DownLoader.735, Trojan.DownLoader.4844, Trojan.DownLoader.4943, Trojan.DownLoader.4805
F-Prot Antivirus Found nothing
Fortinet Found W32/Adload.J-dldr
Kaspersky Anti-Virus Found Trojan-Clicker.Win32.Small.fx, Trojan-Downloader.Win32.ConHook.n, Trojan.Win32.LowZones.c, not-a-virus:AdWare.Win32.Maxifiles.u, Trojan-Downloader.Win32.VB.rl, Trojan-Downloader.Win32.Adload.j
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan.Win32.VB.aem
  • 0

#9
feNetic
Posted 11 November 2005 - 08:57 AM

feNetic

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Panda scan report


Incident Status Location

Adware:adware/elitebar No disinfected Windows Registry
Dialer:dialer.asl No disinfected HKEY_CLASSES_ROOT\CLSID\{0D62A517-E7C6-4E1F-A577-07D4AC549A48}
Adware:adware/ist.istbar No disinfected Windows Registry
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\Jump ref link bat\32mode.exe
Adware:Adware/nCase No disinfected C:\Program Files\AVPersonal\INFECTED\INIT[1].JS.VIR

HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 1:55:44 AM, on 11/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Feng\Desktop\Anti-Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\awvtu.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Windows Update] sccvhost.exe
O4 - HKLM\..\RunServices: [Quick Time Video Codec] qtime32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] sccvhost.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] sccvhost.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/d.../int_ver32b.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {3A2B370C-BA0A-11D1-B137-0000F8753F5D} (Microsoft Chart Control 6.0 (SP4) (OLEDB)) - http://www.fangdi.com.cn/mschart.cab
O16 - DPF: {3D4843A9-3D1C-4F34-B3A2-FEA9AA7F42D6} (WebInsDV Control) - http://download.drvi...5_2/DrVirus.cab
O16 - DPF: {42B1C70D-9823-41F7-810A-682DA294D868} - ms-its:mhtml:file://c:\nosuxxx.mht!http://sxload.com/da...chm::/sload.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone.../ICSScanner.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spam...ckerutility.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BD0F9A7F-695B-4AF4-90E9-08C5DD12FA35} (AtlCtrl Class) - http://www.yesicon.com/start001.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: awvtu - C:\WINDOWS\System32\awvtu.dll (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

the contents of smitfiles.txt


smitRem © log file
version 2.7

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 11/11/2005
The current time is: 16:02:39.10

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

PSGuard.com


~~~ Favorites ~~~



~~~ system32 folder ~~~

wp.bmp


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :tazz:


Ewido Log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:47:29 PM, 11/11/2005
+ Report-Checksum: 1FD7CB72

+ Scan result:

HKLM\SOFTWARE\Classes\AppID\HbSrv.EXE -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\HbSrv.EXE\\AppID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\{B701A705-F828-11D4-A466-00508B5BA2DF} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0AB71193-EC19-4D70-85C2-E46E2FF02755}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{175652E8-8BCC-47C4-B591-0D630F469C19} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{175652E8-8BCC-47C4-B591-0D630F469C19}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1E0004EC-5DF0-48C7-A8F0-FBB0488A3D94} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1E0004EC-5DF0-48C7-A8F0-FBB0488A3D94}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{31A59636-0FA3-4A56-954D-DB7AD02840D8}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{354382DB-DF55-4DA9-85A3-41696A0F510F} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{354382DB-DF55-4DA9-85A3-41696A0F510F}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3CEB882D-6B2B-4D81-A544-9D9B1D6FA945} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3CEB882D-6B2B-4D81-A544-9D9B1D6FA945}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3FA917B9-DF69-477F-9E4F-B60D929DE79F}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{66B90ADB-0BE3-40AE-8680-84A6F0577CA0}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{74CC49F7-EB32-4A08-B204-948962A6E3DB} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{74CC49F7-EB32-4A08-B204-948962A6E3DB}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7E66936C-FEA0-4984-AD26-7B6661AC5B2E} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A14C0D8D-E753-4E73-9E2B-4070791D8940}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BECAFC17-BAF9-11D4-B492-00D0B77F0A6D} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C2BAA4C9-AE1E-4605-AE2F-A1C49A30D881}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EA232A0A-46F8-4D44-A30B-50321518A828} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{ED8525EA-2BFC-4440-BD8A-20EFB9D5E541}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FA16BCE1-5E36-472A-8466-E0CDD5CE00E6} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FA16BCE1-5E36-472A-8466-E0CDD5CE00E6}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Contact.Contacts -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Contact.Contacts\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Contact.Contacts\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Contact.Contacts\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Contact.Contacts.1 -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Contact.Contacts.1\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbCoreSrv.DynamicProp -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbCoreSrv.DynamicProp\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbCoreSrv.DynamicProp\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbCoreSrv.DynamicProp\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbCoreSrv.DynamicProp.1 -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbCoreSrv.DynamicProp.1\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbHostOL.HbElementFocus -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbHostOL.HbElementFocus\CLSID -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbHostOL.HbElementFocus\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbHostOL.HbElementFocus\CurVer -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbHostOL.HbElementFocus.1 -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\HbHostOL.HbElementFocus.1\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{023A4648-601A-4C30-8A2E-C72EBFA99AF6}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{175816A5-219E-4079-B2F9-53C501C409BA}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{19EBCBE0-9245-4397-BC5D-883D34782043}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{20D21E02-8C1C-41FE-9826-DAB4C223436C} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{20D21E02-8C1C-41FE-9826-DAB4C223436C}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{27C4569F-8728-4958-A920-A607CAE8153C}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{397A208B-3D09-4B3E-93E8-CA171886612E}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{3C1A06CC-3981-4DB9-B5B6-B4B8ECB1D7F2}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{3F04CBF7-CD62-4403-B090-B432DEDCB159} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{3F04CBF7-CD62-4403-B090-B432DEDCB159}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{421745E9-16DF-4EE4-A758-D51F939C49CB}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{4331EC56-0AAB-499E-8757-DD2EE44AD671}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{4921DB9C-64EA-430A-ABD2-D016DB5A0AC4}\ProxyStubClsid32\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{54286C3A-E044-4E65-BD44-528D6AE28A18}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{5D16197A-1EAA-45AF-B29A-69F1AA055E87}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{5F2B9DE7-F878-4762-8CFE-E9C58F082F0E}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{66291BEF-C867-43C0-A7B4-D13393814BCD} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{66291BEF-C867-43C0-A7B4-D13393814BCD}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8578D35E-C6C0-4808-9A80-0F6C29A2C423} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8578D35E-C6C0-4808-9A80-0F6C29A2C423}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8654592E-952A-4E7C-A960-304763B35FA6}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8A61A950-C325-4F44-BA64-273180FF3464}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8D5C4EC6-AF8E-4B85-BA27-64BABE410510}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8E98FAF8-794F-47F9-AF90-15305564ED81}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9387EAA3-66DC-4DA5-B40B-C9D080D6F818}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9CDDFBC2-8DC8-4F01-9143-9685D6E16DFC}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AF15975B-1498-4740-8E6C-90AF78E4198C}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B53D4CD4-406D-43CC-8244-7893D72236DD}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B9BB3219-F84C-4060-966B-4A1E73E24226}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC190DA5-0187-4D99-B3AC-6C45EA1B9324} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC190DA5-0187-4D99-B3AC-6C45EA1B9324}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC8C2E5F-D8B4-4997-BCE3-8775C3707956}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{CC9AA028-D639-442F-B97D-A2DAD8F293A2}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D082721F-4BD4-4B8B-BB82-06753EE6174F}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D24F9D3C-5D4C-47F8-9AB7-632B44AD6A0D}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EA232A0A-46F8-4D44-A30B-50321518A828} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EA232A0A-46F8-4D44-A30B-50321518A828}\ProxyStubClsid32\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F43EC88B-B6C8-4969-A763-E2BF55602CCE}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F786CB18-3809-4E49-BC99-9A66DA47DB8B}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F814BE58-1BF9-4B50-829A-E889F86127AD}\TypeLib\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\MediaPassX.Installer\CLSID\\ -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\Classes\PLOT.PlotCtrl.1 -> Spyware.EliteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SbHostIE.Bho\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SbHostIE.Bho.1\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SbSrv.CoreServices\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SbSrv.CoreServices.1\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SbToolbar.HtmlMenuUI\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SbToolbar.HtmlMenuUI.1\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SpamBlockerConfig.Application\Clsid\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SpamBlockerConfig.Application.1\Clsid\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SpamBlockerUtility.CommBand\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SpamBlockerUtility.CommBand.1\CLSID\\ -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{45397063-D7D0-47C2-9508-26487608A298} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{5BA32D9E-F1BD-476C-AD42-97C9379A57A4} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{71E9CF40-AF72-4B55-BD3F-1FEA2A0EAEA6} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{71EFE583-62FE-4419-9918-CA3B683F7B36} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{9967A873-40F3-4C7E-9239-6C8760F19F61} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{B5901229-25CC-43C9-B604-3BB6AC2B48A5} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{B9F51D42-CCA0-4408-BB02-D433D1865A3A} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{C83DAED4-0611-4F7A-978E-7FEAFCB2F91B} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaPassX.dll\\.Owner -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaPassX.dll\\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\PowerScan -> Spyware.PowerScan : Cleaned with backup
HKU\S-1-5-21-789336058-527237240-839522115-1003\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{946B3E9E-E21A-49c8-9F63-900533FAFE14} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-789336058-527237240-839522115-1003\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{E77EDA01-3C56-4a96-8D08-02B42891C169} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-789336058-527237240-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{74CC49F7-EB32-4A08-B204-948962A6E3DB} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-789336058-527237240-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{74CC49F7-EB32-4A08-B204-948962A6E3DB} -> Spyware.HotBar : Cleaned with backup
HKU\S-1-5-21-789336058-527237240-839522115-1003\Software\PowerScan -> Spyware.PowerScan : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Feng\Application Data\Netscape\NSB\Profiles\yxy354up.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Feng\Application Data\Netscape\NSB\Profiles\yxy354up.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Feng\Application Data\Netscape\NSB\Profiles\yxy354up.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Feng\Application Data\Netscape\NSB\Profiles\yxy354up.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Feng\Application Data\Netscape\NSB\Profiles\yxy354up.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Feng\Application Data\Netscape\NSB\Profiles\yxy354up.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Feng\Application Data\Netscape\NSB\Profiles\yxy354up.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Feng\Desktop\Anti-Spyware\backups\backup-20051111-012741-667.dll -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Feng\Desktop\My Stuff\MirC Scripts\Destiny-Zero!2.zip/Destiny-Zero!2/sys/vtjnuker.exe -> Not-A-Virus.Flooder.ICMP.Anarklik.20 : Cleaned with backup
C:\Documents and Settings\Ken\Application Data\ShopperReports -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Ken\Application Data\ShopperReports\cs -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Ken\Application Data\ShopperReports\cs\Config.xml -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Ken\Application Data\ShopperReports\cs\db -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Ken\Application Data\ShopperReports\cs\db\Aliases.dbs -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Ken\Application Data\ShopperReports\cs\db\Sites.dbs -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Ken\Application Data\ShopperReports\cs\dwld -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Ken\Application Data\ShopperReports\cs\dwld\WhiteList.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Ken\Application Data\ShopperReports\cs\persist.dbs -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Ken\Application Data\ShopperReports\cs\report -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Ken\Application Data\ShopperReports\cs\report\ag.xml -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Ken\Application Data\ShopperReports\cs\report\ag.xml.db -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Ken\Application Data\ShopperReports\cs\report\send.xml -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Ken\Application Data\ShopperReports\cs\report\send.xml.db -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Ken\Application Data\ShopperReports\cs\res2 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Ken\Application Data\ShopperReports\cs\res2\WhiteList.dbs -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Ken\Application Data\ShopperReports\shprrprt.log -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Laura\Application Data\ShopperReports -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Laura\Application Data\ShopperReports\cs -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Laura\Application Data\ShopperReports\cs\Config.xml -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Laura\Application Data\ShopperReports\cs\db -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Laura\Application Data\ShopperReports\cs\db\Aliases.dbs -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Laura\Application Data\ShopperReports\cs\db\Sites.dbs -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Laura\Application Data\ShopperReports\cs\dwld -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Laura\Application Data\ShopperReports\cs\dwld\WhiteList.xip -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Laura\Application Data\ShopperReports\cs\persist.dbs -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Laura\Application Data\ShopperReports\cs\report -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Laura\Application Data\ShopperReports\cs\report\ag.xml -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Laura\Application Data\ShopperReports\cs\report\ag.xml.db -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Laura\Application Data\ShopperReports\cs\report\send.xml -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Laura\Application Data\ShopperReports\cs\report\send.xml.db -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Laura\Application Data\ShopperReports\cs\res2 -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Laura\Application Data\ShopperReports\cs\res2\WhiteList.dbs -> Spyware.HotBar : Cleaned with backup
C:\Documents and Settings\Laura\Application Data\ShopperReports\shprrprt.log -> Spyware.HotBar : Cleaned with backup
C:\Program Files\AVPersonal\INFECTED\A0000271.EXE.VIR -> Trojan.Agent.eo : Cleaned with backup
C:\Program Files\AVPersonal\INFECTED\A0000315.EXE.VIR -> Trojan.Agent.eo : Cleaned with backup
C:\Program Files\AVPersonal\INFECTED\A0001792.EXE.VIR -> Trojan.Agent.eo : Cleaned with backup
C:\Program Files\ShopperReports -> Spyware.HotBar : Cleaned with backup
C:\Program Files\ShopperReports\Bin -> Spyware.HotBar : Cleaned with backup
C:\Program Files\ShopperReports\Bin\1.0.4.0 -> Spyware.HotBar : Cleaned with backup
C:\Program Files\SpamBlockerUtility\bin\4.6.1.0\Contact.dll -> Spyware.HotBar : Cleaned with backup
C:\Program Files\SpamBlockerUtility\bin\4.6.1.0\SbGuard.exe -> Spyware.HotBar : Cleaned with backup
C:\Program Files\SpamBlockerUtility\bin\4.6.1.0\SbHostOE.dll -> Spyware.HotBar : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\int_ver32b.ocx -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\eiibipuk.exe -> Spyware.HotBar : Cleaned with backup
C:\WINDOWS\system32\NaviHelper.dll -> Spyware.NaviSearch : Cleaned with backup
C:\WINDOWS\system32\wirl0g0n.exe -> TrojanDropper.Small.na : Cleaned with backup


::Report End
  • 0

#10
g2i2r4
Posted 11 November 2005 - 09:34 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
I was wondering about the Killbox and HijackThis part because the entries are still there.

Let's try again.

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: MSEvents Object - {79A576C4-B7A9-47EC-B57C-2CE5CA6ECC6A} - C:\WINDOWS\System32\awvtu.dll (file missing)

O4 - HKLM\..\Run: [Microsoft Windows Update] sccvhost.exe

O4 - HKLM\..\RunServices: [Quick Time Video Codec] qtime32.exe

O4 - HKLM\..\RunServices: [Microsoft Windows Update] sccvhost.exe

O4 - HKCU\..\Run: [Microsoft Windows Update] sccvhost.exe

O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/d.../int_ver32b.CAB

O16 - DPF: {42B1C70D-9823-41F7-810A-682DA294D868} - ms-its:mhtml:file://c:\nosuxxx.mht!http://sxload.com/da...chm::/sload.exe

O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spam...ckerutility.cab

O20 - Winlogon Notify: awvtu - C:\WINDOWS\System32\awvtu.dll (file missing)

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.gee.../aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
  • 0

#11
feNetic
Posted 11 November 2005 - 09:55 AM

feNetic

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 2:53:55 AM, on 11/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Feng\Desktop\Anti-Spyware\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {3A2B370C-BA0A-11D1-B137-0000F8753F5D} (Microsoft Chart Control 6.0 (SP4) (OLEDB)) - http://www.fangdi.com.cn/mschart.cab
O16 - DPF: {3D4843A9-3D1C-4F34-B3A2-FEA9AA7F42D6} (WebInsDV Control) - http://download.drvi...5_2/DrVirus.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone.../ICSScanner.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BD0F9A7F-695B-4AF4-90E9-08C5DD12FA35} (AtlCtrl Class) - http://www.yesicon.com/start001.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

aproposfix log.txt

Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\Feng\Desktop\aproposfix

************

Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!
  • 0

#12
g2i2r4
Posted 11 November 2005 - 12:21 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Okay, now is a good time to update to at least SP1a:
Click here
Apply the update, reboot, and post a fresh Hijack This log.

We'll take it from there.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP