Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan Horse Downloader.Agent [RESOLVED]

Started by honkin , Nov 14 2005 04:52 PM

  • This topic is locked This topic is locked

#1
honkin
Posted 14 November 2005 - 04:52 PM

honkin

    New Member

  • Member
  • Pip
  • 7 posts
Hi

I originally had the Trojan Startpage.19.AO and posted a topic on that, but used the advice found in this forum and it appears to be gone. Ran Cleanup, Ad-aware SE, CWShredder, Spybot, Ewido, Trojan Hunter, AVG. Startpage appears to be gone and now be replaced by Downlaoder.Agent.

I have spent hours on this and am getting frustrated.

Now when I just rebooted from Safe Mode, AVG says I have Trojan Horse Downloader.Agent.AQU, though the last letter changes occasionally - it was AQW 5 minutes ago. Every 30 seconds a new warning comes from AVG with a new filename indicated. They are all located in the c:\Windows folder - eg: c:\Windows\msmm32.dll

Here is my Hijack This log.

Logfile of HijackThis v1.99.1
Scan saved at 9:23:48 AM, on 15/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\atlwe32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
e:\Program Files\ewido\security suite\ewidoctrl.exe
e:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\alg.exe
E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
E:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
E:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Winamp\winampa.exe
C:\NOSPY.ORG\start1.exe
C:\WINDOWS\ierp32.exe
e:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Program Files\PeerGuardian2\pg2.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\SpamBayes\bin\sb_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
e:\Program Files\Real\RealPlayer\RealPlay.exe
F:\FTPRoot\usr\Zip Files\Virus Trojan Spyware etc\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.google.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com.au
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {02D4A6D4-9A5A-9DD8-7DD4-5C2F02AD2717} - C:\WINDOWS\system32\ntsv32.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0FC10DA6-621C-EEAE-0E43-CB4CCFC5B848} - C:\WINDOWS\system32\winpg.dll (file missing)
O2 - BHO: Class - {137FBD76-C94E-29D8-CB88-FB29E07E3C8E} - C:\WINDOWS\system32\crca32.dll (file missing)
O2 - BHO: Class - {14B627E8-FA46-6393-8D1A-01478E0D9C0A} - C:\WINDOWS\ntmx32.dll (file missing)
O2 - BHO: Class - {14CE5B7A-6546-0088-A736-F486C8A0A93F} - C:\WINDOWS\msek32.dll (file missing)
O2 - BHO: Class - {19AA31BF-1750-E89C-CB6E-11F9A6477CE9} - C:\WINDOWS\system32\d3ki32.dll (file missing)
O2 - BHO: Class - {262B7B86-55DB-32CD-522E-D1E8CDEC3BFE} - C:\WINDOWS\system32\netjt32.dll (file missing)
O2 - BHO: Class - {2D86D49A-0E10-CAE7-291B-D83BA5AD0087} - C:\WINDOWS\ntyh.dll (file missing)
O2 - BHO: Class - {30938316-DC58-DA9C-B4D3-C652FBD3DBEF} - C:\WINDOWS\addab.dll (file missing)
O2 - BHO: (no name) - {3DEE124E-EBB2-00C2-E596-DBCA1510C177} - (no file)
O2 - BHO: Class - {4CB9FE89-C678-F47B-2F95-B7988A0FC10D} - C:\WINDOWS\system32\netra.dll (file missing)
O2 - BHO: Class - {4D1C7E59-FDEE-E7E8-D0E4-2CA28A50B796} - C:\WINDOWS\ieyg32.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {568F19C5-53C8-85F1-FD40-5AC40D3DE0DA} - C:\WINDOWS\system32\javagd.dll (file missing)
O2 - BHO: Class - {5899D6C8-2875-45AF-8736-13BE0C3BA5EC} - C:\WINDOWS\system32\addlo32.dll (file missing)
O2 - BHO: Class - {6C7405AE-7CE7-A0CE-827C-F77DFA449D8D} - C:\WINDOWS\system32\appua32.dll (file missing)
O2 - BHO: Class - {78545376-8241-C7E5-C71F-6A2E42322ADF} - C:\WINDOWS\system32\netpa.dll (file missing)
O2 - BHO: Class - {7A00499E-BCBB-B127-9B94-C5DF5086E096} - C:\WINDOWS\nethx32.dll (file missing)
O2 - BHO: Class - {7B315180-F3AA-843E-BFD5-2B630CDC0D67} - C:\WINDOWS\netev32.dll (file missing)
O2 - BHO: Class - {7D80F0E3-D853-E15E-FD62-366068538F6E} - C:\WINDOWS\system32\ieqn32.dll (file missing)
O2 - BHO: Class - {7E678766-5C45-3E67-EFD2-B3449A8C2A69} - C:\WINDOWS\winnk.dll (file missing)
O2 - BHO: Class - {85D798A6-2F83-A50C-5B26-F3BCDD880ABD} - C:\WINDOWS\crih.dll (file missing)
O2 - BHO: Class - {A010DBE2-CC3D-9634-88DD-0AC37058D49B} - C:\WINDOWS\system32\netei32.dll (file missing)
O2 - BHO: Class - {A4C18C6B-56A7-927D-630C-D7557B18963E} - C:\WINDOWS\system32\mstl.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Class - {AF02D6F5-E10D-4B29-B7AB-E057280C0CDC} - C:\WINDOWS\system32\d3gh.dll (file missing)
O2 - BHO: Class - {B1226024-595B-F768-1697-EFEE2A97E5C8} - C:\WINDOWS\system32\sysmk.dll (file missing)
O2 - BHO: Class - {B990B770-D62A-B542-EDA6-516033B76258} - C:\WINDOWS\javafz.dll (file missing)
O2 - BHO: Class - {C012ED91-D21E-BC95-430B-8D4A44A3BDA5} - C:\WINDOWS\system32\ipyu.dll (file missing)
O2 - BHO: Class - {C3AAEC67-F763-AFDD-7B89-B292B7DC615D} - C:\WINDOWS\system32\netaq32.dll (file missing)
O2 - BHO: Class - {C4790940-96EC-3F25-4A2F-F6BF035B6FD5} - C:\WINDOWS\system32\sysep.dll (file missing)
O2 - BHO: (no name) - {C8004A51-B1C6-2B52-CE97-BA80D6D6C5DB} - (no file)
O2 - BHO: Class - {CAE597FF-4125-1680-10FC-D57418898CD3} - C:\WINDOWS\javags32.dll (file missing)
O2 - BHO: Class - {D883F4CC-A8EE-9040-1995-5458D21F8391} - C:\WINDOWS\system32\netnu32.dll (file missing)
O2 - BHO: Class - {D9C0B1C1-84B5-7F4A-70E8-5A3C089B2899} - C:\WINDOWS\system32\sdkxr.dll (file missing)
O2 - BHO: Class - {E3BB58FA-9E29-5453-8515-DD85FF9C16C7} - C:\WINDOWS\system32\ienw32.dll (file missing)
O2 - BHO: Class - {F0D80D9E-EC18-2B52-399F-E70AEDFC8E18} - C:\WINDOWS\winef32.dll (file missing)
O2 - BHO: Class - {F3264A95-EA02-5435-7C3B-CC1A6BECFC5B} - C:\WINDOWS\atlog.dll (file missing)
O2 - BHO: Class - {F3DF3C5A-2566-083E-2CA1-07FE7B5682F8} - C:\WINDOWS\system32\sdkga32.dll (file missing)
O2 - BHO: Class - {F7C42564-EA95-5F04-2382-4C97CB847F28} - C:\WINDOWS\sdkgz32.dll (file missing)
O2 - BHO: Class - {FE13BDB7-4403-0563-A91B-7E8970E72CF7} - C:\WINDOWS\system32\ipsf32.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - e:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Omnipage] E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Norton Ghost 9.0] E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MimBoot] e:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "e:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AnyDVD] "e:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] e:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [mswc.exe] C:\WINDOWS\system32\mswc.exe
O4 - HKLM\..\Run: [mslb32.exe] C:\WINDOWS\system32\mslb32.exe
O4 - HKLM\..\Run: [d3zn32.exe] C:\WINDOWS\d3zn32.exe
O4 - HKLM\..\Run: [STARTPAGE] C:\NOSPY.ORG\start1.exe
O4 - HKLM\..\Run: [winsj.exe] C:\WINDOWS\system32\winsj.exe
O4 - HKLM\..\Run: [ScriptSentry] e:\Script Sentry\ScriptSentry.exe /check
O4 - HKLM\..\Run: [ierp32.exe] C:\WINDOWS\ierp32.exe
O4 - HKLM\..\Run: [THGuard] "E:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] e:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe
O4 - Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe
O4 - User Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Optical Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: NkvMon.exe.lnk = E:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download &this page with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addthis.htm
O8 - Extra context menu item: Download all &images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addimg.htm
O8 - Extra context menu item: Download all &links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addurl.htm
O8 - Extra context menu item: Download selected images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addselimgs.htm
O8 - Extra context menu item: Download selected links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addsellinks.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe
O9 - Extra 'Tools' menuitem: &WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131673724281
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\atlwe32.exe" /s (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - e:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - e:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton Ghost - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements

#2
Trevuren
Posted 14 November 2005 - 10:36 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi honkin and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log. You have a serious About Blank infection which will require a bit of work on both our parts to completely eradicate.

1. Please DELETE your current HJT program from its present location.

2. Download and run the following HijackThis autoinstall program from Here . Please choose the default location of C:\Program Files\ as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!
  • Run HijackThis
  • Click SCAN and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')
  • POST the log into this thread using 'Add Reply' (Ctrl-V to 'paste')
DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER


Regards,

Trevuren

Edited by Trevuren, 14 November 2005 - 10:37 PM.

  • 0

#3
honkin
Posted 14 November 2005 - 11:41 PM

honkin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Cheers Trevuren. Glad to get some help as I have been pulling my hair out.

Yes, it started as about:blank just changing my homepage and giving me warnings in AVG, but I have a program stopping my homepage from being changed. It is called Startpage Spyware Removal Tool for IE. Doesn't really seem to remove anything, though. Just locks the homepage. After that the Startpage was being detected by AVG, until only a couple of days ago when it started warning of the Downloader.Agent.

Incidentally, Hijack This was always running in a separate folder, on the F: drive. Should have been working fine. I just don't install any programs on my C: drive. It is partitioned as an OS partition only. Most proggies are on the E: drive. Have now installed it on the C: drive as per your request, though.

I don't know if this helps at all, but there are also 3 entries in Add/Remove Programs which I have tried to remove for quite a while. One is Home Search Assitant, which sends me to a website when I try to uninstall it. Needless to say it does not uninstall. Another is Shopping Wizard, which takes me to the same website and the last one is called Search Extender which does the same thing. Don't know if they are part of the same problem, but worth telling you.

Also, a security log in Sygate tells me of a persistent file - C:\Windows\ierp32.exe which keeps attempting to use IE to do something relating to u47.cc - which I think is a known virus. I have it blocked, but would love to have it gone.

Here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 4:23:37 PM, on 15/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\atlwe32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
e:\Program Files\ewido\security suite\ewidoctrl.exe
e:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\alg.exe
E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
E:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
E:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Winamp\winampa.exe
C:\NOSPY.ORG\start1.exe
C:\WINDOWS\ierp32.exe
e:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Program Files\PeerGuardian2\pg2.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\SpamBayes\bin\sb_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.google.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com.au
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {02D4A6D4-9A5A-9DD8-7DD4-5C2F02AD2717} - C:\WINDOWS\system32\ntsv32.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0FC10DA6-621C-EEAE-0E43-CB4CCFC5B848} - C:\WINDOWS\system32\winpg.dll (file missing)
O2 - BHO: Class - {137FBD76-C94E-29D8-CB88-FB29E07E3C8E} - C:\WINDOWS\system32\crca32.dll (file missing)
O2 - BHO: Class - {14B627E8-FA46-6393-8D1A-01478E0D9C0A} - C:\WINDOWS\ntmx32.dll (file missing)
O2 - BHO: Class - {14CE5B7A-6546-0088-A736-F486C8A0A93F} - C:\WINDOWS\msek32.dll (file missing)
O2 - BHO: Class - {19AA31BF-1750-E89C-CB6E-11F9A6477CE9} - C:\WINDOWS\system32\d3ki32.dll (file missing)
O2 - BHO: Class - {262B7B86-55DB-32CD-522E-D1E8CDEC3BFE} - C:\WINDOWS\system32\netjt32.dll (file missing)
O2 - BHO: Class - {2D86D49A-0E10-CAE7-291B-D83BA5AD0087} - C:\WINDOWS\ntyh.dll (file missing)
O2 - BHO: Class - {30938316-DC58-DA9C-B4D3-C652FBD3DBEF} - C:\WINDOWS\addab.dll (file missing)
O2 - BHO: (no name) - {3DEE124E-EBB2-00C2-E596-DBCA1510C177} - (no file)
O2 - BHO: Class - {4CB9FE89-C678-F47B-2F95-B7988A0FC10D} - C:\WINDOWS\system32\netra.dll (file missing)
O2 - BHO: Class - {4D1C7E59-FDEE-E7E8-D0E4-2CA28A50B796} - C:\WINDOWS\ieyg32.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {568F19C5-53C8-85F1-FD40-5AC40D3DE0DA} - C:\WINDOWS\system32\javagd.dll (file missing)
O2 - BHO: Class - {5899D6C8-2875-45AF-8736-13BE0C3BA5EC} - C:\WINDOWS\system32\addlo32.dll (file missing)
O2 - BHO: Class - {6C7405AE-7CE7-A0CE-827C-F77DFA449D8D} - C:\WINDOWS\system32\appua32.dll (file missing)
O2 - BHO: Class - {78545376-8241-C7E5-C71F-6A2E42322ADF} - C:\WINDOWS\system32\netpa.dll (file missing)
O2 - BHO: Class - {7A00499E-BCBB-B127-9B94-C5DF5086E096} - C:\WINDOWS\nethx32.dll (file missing)
O2 - BHO: Class - {7B315180-F3AA-843E-BFD5-2B630CDC0D67} - C:\WINDOWS\netev32.dll (file missing)
O2 - BHO: Class - {7D80F0E3-D853-E15E-FD62-366068538F6E} - C:\WINDOWS\system32\ieqn32.dll (file missing)
O2 - BHO: Class - {7E678766-5C45-3E67-EFD2-B3449A8C2A69} - C:\WINDOWS\winnk.dll (file missing)
O2 - BHO: Class - {85D798A6-2F83-A50C-5B26-F3BCDD880ABD} - C:\WINDOWS\crih.dll (file missing)
O2 - BHO: Class - {A010DBE2-CC3D-9634-88DD-0AC37058D49B} - C:\WINDOWS\system32\netei32.dll (file missing)
O2 - BHO: Class - {A4C18C6B-56A7-927D-630C-D7557B18963E} - C:\WINDOWS\system32\mstl.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Class - {AF02D6F5-E10D-4B29-B7AB-E057280C0CDC} - C:\WINDOWS\system32\d3gh.dll (file missing)
O2 - BHO: Class - {B1226024-595B-F768-1697-EFEE2A97E5C8} - C:\WINDOWS\system32\sysmk.dll (file missing)
O2 - BHO: Class - {B990B770-D62A-B542-EDA6-516033B76258} - C:\WINDOWS\javafz.dll (file missing)
O2 - BHO: Class - {C012ED91-D21E-BC95-430B-8D4A44A3BDA5} - C:\WINDOWS\system32\ipyu.dll (file missing)
O2 - BHO: Class - {C3AAEC67-F763-AFDD-7B89-B292B7DC615D} - C:\WINDOWS\system32\netaq32.dll (file missing)
O2 - BHO: Class - {C4790940-96EC-3F25-4A2F-F6BF035B6FD5} - C:\WINDOWS\system32\sysep.dll (file missing)
O2 - BHO: (no name) - {C8004A51-B1C6-2B52-CE97-BA80D6D6C5DB} - (no file)
O2 - BHO: Class - {CAE597FF-4125-1680-10FC-D57418898CD3} - C:\WINDOWS\javags32.dll (file missing)
O2 - BHO: Class - {D883F4CC-A8EE-9040-1995-5458D21F8391} - C:\WINDOWS\system32\netnu32.dll (file missing)
O2 - BHO: Class - {D9C0B1C1-84B5-7F4A-70E8-5A3C089B2899} - C:\WINDOWS\system32\sdkxr.dll (file missing)
O2 - BHO: Class - {E3BB58FA-9E29-5453-8515-DD85FF9C16C7} - C:\WINDOWS\system32\ienw32.dll (file missing)
O2 - BHO: Class - {F0D80D9E-EC18-2B52-399F-E70AEDFC8E18} - C:\WINDOWS\winef32.dll (file missing)
O2 - BHO: Class - {F3264A95-EA02-5435-7C3B-CC1A6BECFC5B} - C:\WINDOWS\atlog.dll (file missing)
O2 - BHO: Class - {F3DF3C5A-2566-083E-2CA1-07FE7B5682F8} - C:\WINDOWS\system32\sdkga32.dll (file missing)
O2 - BHO: Class - {F7C42564-EA95-5F04-2382-4C97CB847F28} - C:\WINDOWS\sdkgz32.dll (file missing)
O2 - BHO: Class - {FE13BDB7-4403-0563-A91B-7E8970E72CF7} - C:\WINDOWS\system32\ipsf32.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - e:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Omnipage] E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Norton Ghost 9.0] E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MimBoot] e:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "e:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AnyDVD] "e:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] e:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [mswc.exe] C:\WINDOWS\system32\mswc.exe
O4 - HKLM\..\Run: [mslb32.exe] C:\WINDOWS\system32\mslb32.exe
O4 - HKLM\..\Run: [d3zn32.exe] C:\WINDOWS\d3zn32.exe
O4 - HKLM\..\Run: [STARTPAGE] C:\NOSPY.ORG\start1.exe
O4 - HKLM\..\Run: [winsj.exe] C:\WINDOWS\system32\winsj.exe
O4 - HKLM\..\Run: [ScriptSentry] e:\Script Sentry\ScriptSentry.exe /check
O4 - HKLM\..\Run: [ierp32.exe] C:\WINDOWS\ierp32.exe
O4 - HKLM\..\Run: [THGuard] "E:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] e:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe
O4 - Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe
O4 - User Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Optical Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: NkvMon.exe.lnk = E:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download &this page with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addthis.htm
O8 - Extra context menu item: Download all &images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addimg.htm
O8 - Extra context menu item: Download all &links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addurl.htm
O8 - Extra context menu item: Download selected images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addselimgs.htm
O8 - Extra context menu item: Download selected links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addsellinks.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe
O9 - Extra 'Tools' menuitem: &WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131673724281
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\atlwe32.exe" /s (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - e:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - e:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton Ghost - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#4
Trevuren
Posted 15 November 2005 - 12:26 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Your system is infected with a variant of the About:Blank infection.

1. First we must STOP, and Disable a bad Added Service
  • Click Start>Run and type in: services.msc
  • Click OK
  • In the Services window find: Remote Procedure Call (RPC) Helper
  • Select/highlight and right click the entry, and choose: Properties
  • On the General tab, under Service Status click the Stop button
  • Beside: Startup Type, in the drop menu, select: Disabled
  • Click Apply, then OK

2. Download CWShredder
Click check for updates. Do not use it yet.


3. Download Aboutbuster 5
  • Create a new folder on your desktop and call it AB
  • Extract [ALL] the files from the AboutBuster.zip file into this new Folder
  • Click on Updates to ensure you are working with the most current version
  • Do not use it yet.

4. Download: HomeSearchfix. Unzip it to your desktop. Do not use it yet.


Take care: some files can be hidden, so first go to start > control panel > folder options > view (tab) > mark “show hidden files en extensions >OK

Please print out these directions for in safe mode you will have to be disconnected from the internet. You should entirely disconnect (UNPLUG) from the internet!!!


5. Reboot your system into safe mode for all OS


6. Close all windows and open HijackThis.
  • Click "scan only” in the main window
  • Put a checkmark beside the following entries and click “FIX checked”.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {02D4A6D4-9A5A-9DD8-7DD4-5C2F02AD2717} - C:\WINDOWS\system32\ntsv32.dll (file missing)
    O2 - BHO: Class - {0FC10DA6-621C-EEAE-0E43-CB4CCFC5B848} - C:\WINDOWS\system32\winpg.dll (file missing)
    O2 - BHO: Class - {137FBD76-C94E-29D8-CB88-FB29E07E3C8E} - C:\WINDOWS\system32\crca32.dll (file missing)
    O2 - BHO: Class - {14B627E8-FA46-6393-8D1A-01478E0D9C0A} - C:\WINDOWS\ntmx32.dll (file missing)
    O2 - BHO: Class - {14CE5B7A-6546-0088-A736-F486C8A0A93F} - C:\WINDOWS\msek32.dll (file missing)
    O2 - BHO: Class - {19AA31BF-1750-E89C-CB6E-11F9A6477CE9} - C:\WINDOWS\system32\d3ki32.dll (file missing)
    O2 - BHO: Class - {262B7B86-55DB-32CD-522E-D1E8CDEC3BFE} - C:\WINDOWS\system32\netjt32.dll (file missing)
    O2 - BHO: Class - {2D86D49A-0E10-CAE7-291B-D83BA5AD0087} - C:\WINDOWS\ntyh.dll (file missing)
    O2 - BHO: Class - {30938316-DC58-DA9C-B4D3-C652FBD3DBEF} - C:\WINDOWS\addab.dll (file missing)
    O2 - BHO: (no name) - {3DEE124E-EBB2-00C2-E596-DBCA1510C177} - (no file)
    O2 - BHO: Class - {4D1C7E59-FDEE-E7E8-D0E4-2CA28A50B796} - C:\WINDOWS\ieyg32.dll (file missing)
    O2 - BHO: Class - {568F19C5-53C8-85F1-FD40-5AC40D3DE0DA} - C:\WINDOWS\system32\javagd.dll (file missing)
    O2 - BHO: Class - {5899D6C8-2875-45AF-8736-13BE0C3BA5EC} - C:\WINDOWS\system32\addlo32.dll (file missing)
    O2 - BHO: Class - {6C7405AE-7CE7-A0CE-827C-F77DFA449D8D} - C:\WINDOWS\system32\appua32.dll (file missing)
    O2 - BHO: Class - {78545376-8241-C7E5-C71F-6A2E42322ADF} - C:\WINDOWS\system32\netpa.dll (file missing)
    O2 - BHO: Class - {7A00499E-BCBB-B127-9B94-C5DF5086E096} - C:\WINDOWS\nethx32.dll (file missing)
    O2 - BHO: Class - {7B315180-F3AA-843E-BFD5-2B630CDC0D67} - C:\WINDOWS\netev32.dll (file missing)
    O2 - BHO: Class - {7D80F0E3-D853-E15E-FD62-366068538F6E} - C:\WINDOWS\system32\ieqn32.dll (file missing)
    O2 - BHO: Class - {7E678766-5C45-3E67-EFD2-B3449A8C2A69} - C:\WINDOWS\winnk.dll (file missing)
    O2 - BHO: Class - {85D798A6-2F83-A50C-5B26-F3BCDD880ABD} - C:\WINDOWS\crih.dll (file missing)
    O2 - BHO: Class - {A010DBE2-CC3D-9634-88DD-0AC37058D49B} - C:\WINDOWS\system32\netei32.dll (file missing)
    O2 - BHO: Class - {A4C18C6B-56A7-927D-630C-D7557B18963E} - C:\WINDOWS\system32\mstl.dll (file missing)
    O2 - BHO: Class - {AF02D6F5-E10D-4B29-B7AB-E057280C0CDC} - C:\WINDOWS\system32\d3gh.dll (file missing)
    O2 - BHO: Class - {B1226024-595B-F768-1697-EFEE2A97E5C8} - C:\WINDOWS\system32\sysmk.dll (file missing)
    O2 - BHO: Class - {B990B770-D62A-B542-EDA6-516033B76258} - C:\WINDOWS\javafz.dll (file missing)
    O2 - BHO: Class - {C012ED91-D21E-BC95-430B-8D4A44A3BDA5} - C:\WINDOWS\system32\ipyu.dll (file missing)
    O2 - BHO: Class - {C3AAEC67-F763-AFDD-7B89-B292B7DC615D} - C:\WINDOWS\system32\netaq32.dll (file missing)
    O2 - BHO: Class - {C4790940-96EC-3F25-4A2F-F6BF035B6FD5} - C:\WINDOWS\system32\sysep.dll (file missing)
    O2 - BHO: (no name) - {C8004A51-B1C6-2B52-CE97-BA80D6D6C5DB} - (no file)
    O2 - BHO: Class - {CAE597FF-4125-1680-10FC-D57418898CD3} - C:\WINDOWS\javags32.dll (file missing)
    O2 - BHO: Class - {D883F4CC-A8EE-9040-1995-5458D21F8391} - C:\WINDOWS\system32\netnu32.dll (file missing)
    O2 - BHO: Class - {D9C0B1C1-84B5-7F4A-70E8-5A3C089B2899} - C:\WINDOWS\system32\sdkxr.dll (file missing)
    O2 - BHO: Class - {E3BB58FA-9E29-5453-8515-DD85FF9C16C7} - C:\WINDOWS\system32\ienw32.dll (file missing)
    O2 - BHO: Class - {F0D80D9E-EC18-2B52-399F-E70AEDFC8E18} - C:\WINDOWS\winef32.dll (file missing)
    O2 - BHO: Class - {F3264A95-EA02-5435-7C3B-CC1A6BECFC5B} - C:\WINDOWS\atlog.dll (file missing)
    O2 - BHO: Class - {F3DF3C5A-2566-083E-2CA1-07FE7B5682F8} - C:\WINDOWS\system32\sdkga32.dll (file missing)
    O2 - BHO: Class - {F7C42564-EA95-5F04-2382-4C97CB847F28} - C:\WINDOWS\sdkgz32.dll (file missing)
    O2 - BHO: Class - {FE13BDB7-4403-0563-A91B-7E8970E72CF7} - C:\WINDOWS\system32\ipsf32.dll (file missing)
    O4 - HKLM\..\Run: [mswc.exe] C:\WINDOWS\system32\mswc.exe
    O4 - HKLM\..\Run: [mslb32.exe] C:\WINDOWS\system32\mslb32.exe
    O4 - HKLM\..\Run: [d3zn32.exe] C:\WINDOWS\d3zn32.exe
    O4 - HKLM\..\Run: [winsj.exe] C:\WINDOWS\system32\winsj.exe
    O4 - HKLM\..\Run: [ierp32.exe] C:\WINDOWS\ierp32.exe
    O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe
    O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\atlwe32.exe" /s (file missing)

7. Run CWShredder and choose FIX

8. Start AboutBuster and press START, and then OK. The program will start scanning. Please keep the About Buster log and post it in your next reply.

9. Doubleclick HomeSearchfix.reg to merge the info to the registry. You will be prompted to accept the merge, answer YES.

10. REBOOT your Sytem into Safe Mode

How to use the F8 method to Start Your Computer in Safe Mode*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.
11. Using Windows Explorer, please DELETE the following Files/Folders - and all their content- (if they are still present):


C:\WINDOWS\atlwe32.exe
C:\WINDOWS\ierp32.exe
C:\WINDOWS\system32\dgugf.dll
C:\WINDOWS\system32\mswc.exe
C:\WINDOWS\system32\mslb32.exe
C:\WINDOWS\d3zn32.exe
C:\WINDOWS\system32\winsj.exe
C:\WINDOWS\supervisor.exe

12. Start AboutBuster AGAIN and scan AGAIN.


13. Clean temporary files:
  • Go > start > run and type cleanmgr and OK
  • Scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
  • Click OK to remove those files.
  • Click Yes to confirm deletion.

14. Reboot your system into normal mode.


15.Download Ewido scan
  • Check for updates.
  • Let it do a full run.
  • Copy the log. Past it to a blank Notepad file and save it to post here.

16. Finally, run HijackThis, click SCAN, produce a LOG and POST it, the EWIDOscan log, and the About Buster log in this thread for review.

Regards,

Trevuren
  • 0

#5
honkin
Posted 15 November 2005 - 07:17 PM

honkin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
OK, some of the entries indicated were not there when I booted into safe mode. When I finally booted back to normal mode, AVG kept bringing up trojan messages.

Here are the logs you requested.

Cheers

Logfile of HijackThis v1.99.1
Scan saved at 12:11:34 PM, on 16/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
e:\Program Files\ewido\security suite\ewidoctrl.exe
e:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\alg.exe
E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
E:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Winamp\winampa.exe
C:\NOSPY.ORG\start1.exe
e:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
e:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Program Files\PeerGuardian2\pg2.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
E:\Program Files\Nikon\NkView6\NkvMon.exe
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\SpamBayes\bin\sb_tray.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.google.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com.au
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Class - {CAE597FF-4125-1680-10FC-D57418898CD3} - C:\WINDOWS\javags32.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - e:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Omnipage] E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Norton Ghost 9.0] E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MimBoot] e:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "e:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AnyDVD] "e:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] e:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [STARTPAGE] C:\NOSPY.ORG\start1.exe
O4 - HKLM\..\Run: [ScriptSentry] e:\Script Sentry\ScriptSentry.exe /check
O4 - HKLM\..\Run: [THGuard] "E:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] e:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe
O4 - Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe
O4 - User Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Optical Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: NkvMon.exe.lnk = E:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download &this page with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addthis.htm
O8 - Extra context menu item: Download all &images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addimg.htm
O8 - Extra context menu item: Download all &links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addurl.htm
O8 - Extra context menu item: Download selected images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addselimgs.htm
O8 - Extra context menu item: Download selected links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addsellinks.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe
O9 - Extra 'Tools' menuitem: &WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131673724281
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - e:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - e:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton Ghost - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:10:39 PM, 16/11/2005
+ Report-Checksum: 50CBD1EE

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{1DE20533-9118-BF9A-A6C6-F8E881A5FD4B} -> Spyware.CoolWebSearch : Cleaned with backup
F:\Documents and Settings\Shane O'Sullivan\Cookies\shane o'sullivan@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
F:\Documents and Settings\Shane O'Sullivan\Cookies\shane o'sullivan@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
F:\Documents and Settings\Shane O'Sullivan\Local Settings\Temporary Internet Files\Content.IE5\F9STVTOF\mm[2].js -> Spyware.Chitika : Cleaned with backup


::Report End


AboutBuster 5.1, reference file 33
Scan started on [16/11/2005] at [10:40:11 AM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\WINDOWS\bdtwi.dat
Removed File! : C:\WINDOWS\vlkdx.dat
Removed File! : C:\WINDOWS\wrbtx.dat
Removed File! : C:\WINDOWS\zdavy.dat
Removed File! : C:\WINDOWS\system32\jblvx.dat
Removed File! : C:\WINDOWS\system32\lbnuf.dat
Removed File! : C:\WINDOWS\system32\mhxkb.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:42:14 AM


AboutBuster 5.1, reference file 33
Scan started on [16/11/2005] at [10:53:02 AM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:55:04 AM
  • 0

#6
Trevuren
Posted 15 November 2005 - 07:54 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We need to do a general overall cleanup of your system at this time

1.Download and Run a free trial version of an anti-trojan program called Trojan Hunter: HERE
  • Let it scan your whole system and remove anything it finds.
  • REBOOT your system.
2. Run Panda, a free online antivirus scan from HERE
  • Let it remove anything it finds.
  • REBOOT your system.
3. Download, install, update, configure, and run Ad-Aware SE Personal 1.06.
  • Download Ad-Aware SE Personal 1.06:
  • Install Ad-Aware SE Personal 1.06:
    • Double-click on aawsepersonal.exe to install the program.
    • Follow the default settings for installation.
    • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
  • Update Ad-Aware SE Personal 1.06:
    • Double-click the Ad-Aware SE Personal icon on your desktop.
    • Click "Check for updates now" then click "Connect".
    • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
  • Configure Ad-Aware SE Personal 1.06:
    • Click on the Gear button at the top of the window.
    • Click "General" on the left hand side to display the General Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Automatically save logfile"
        • "Automatically quarantine objects prior to removal"
        • "Safe Mode (always request confirmation)"
        • "Prompt to update outdated definitions" - change to 7 days from the default 14.
    • Click "Scanning" on the left hand side to display the Scan Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Scan within archives"
      • "Select drives & folders to scan" - select your hard drive(s).
      • "Scan active processes"
      • "Scan registry"
      • "Deep-scan registry"
      • "Scan my IE favorites for banned URLs"
      • "Scan my Hosts file"
    • Click "Advanced" on the left hand side to display the Advanced Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Move deleted files to Recycle Bin"
      • "Include additional object information"
      • "Include negligible objects information"
      • "Include environment information"
    • Click "Defaults" on the left hand side to display the Default Settings box.
      • Make sure these items have your preferred settings in them.:
      • "Default homepage"
      • "Default searchpage"
    • Click "Tweak" on the left hand side to display the Tweak Settings box.
      • Click the + (plus) sign next to the Log Files section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Include basic Ad-Aware settings in log file"
        • "Include additional Ad-Aware settings in log file"
        • "Include reference summary in log file"
        • "Include alternate data stream details in log file"
      • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Unload recognized processes & modules during scan"
        • "Scan registry for all users instead of current user only"
        • "Obtain command line of scanned processes"
      • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Always try to unload modules before deletion"
        • "During removal, unload Explorer and IE if necessary"
        • "Let Windows remove files in use at next reboot"
        • "Delete quarantined objects after restoring"
    • Once you are done with these settings, click "Proceed" to save them.
    • This will take you back to the main screen.
  • Run Ad-Aware SE Personal 1.06:
    • Click the "Start" button.
    • Uncheck the "Search for negligible risk entries" entry.
    • Choose the "Use custom scanning options" scan mode.
    • Click the "Next" button.
    • Ad-Aware will begin to scan for malware residing on your computer.
    • Allow the scan to finish.
    • Right-click on any entry in the list and click "Select All" to select the whole list.
    • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.
    • REBOOT your system.
4. Download the .exe format of Cleanup by Steven Gould from :HERE
  • A window will open and choose SAVE, then DESKTOP as the destination.
  • On your Desktop, click on Cleanup40.exe icon.
  • Then, click RUN and place a checkmark beside "I Agree"
  • Then click NEXT followed by START and OK.
  • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
  • Click OK
  • Finally click "CleanUp"
The program with probably ask you to reboot. If it doesn't, then REBOOT your system yourself.

5. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren
  • 0

#7
honkin
Posted 16 November 2005 - 05:22 PM

honkin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hey Trevuren

The link to Cleanup40.exe is dead, but I already had a copy of it on my system. Ran it in standard mode and let it do its thing.

Also, Panda did a log which had heaps of Adware. I have moved them all from both Windows and Windows\System32 to another location. Will delete them if you say they are OK to be deleted. Have included the Panda log as well.

Hijack This still shows 3 entries of that dgugf.dll.

Logfile of HijackThis v1.99.1
Scan saved at 10:12:19 AM, on 17/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
e:\Program Files\ewido\security suite\ewidoctrl.exe
e:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\alg.exe
E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
E:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
E:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Winamp\winampa.exe
C:\NOSPY.ORG\start1.exe
e:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Program Files\PeerGuardian2\pg2.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
E:\Program Files\Nikon\NkView6\NkvMon.exe
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\SpamBayes\bin\sb_tray.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.google.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com.au
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Class - {CAE597FF-4125-1680-10FC-D57418898CD3} - C:\WINDOWS\javags32.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - e:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Omnipage] E:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Norton Ghost 9.0] E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MimBoot] e:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "e:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AnyDVD] "e:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] e:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [STARTPAGE] C:\NOSPY.ORG\start1.exe
O4 - HKLM\..\Run: [ScriptSentry] e:\Script Sentry\ScriptSentry.exe /check
O4 - HKLM\..\Run: [THGuard] "E:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] e:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe
O4 - Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe
O4 - User Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Optical Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: NkvMon.exe.lnk = E:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download &this page with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addthis.htm
O8 - Extra context menu item: Download all &images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addimg.htm
O8 - Extra context menu item: Download all &links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addurl.htm
O8 - Extra context menu item: Download selected images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addselimgs.htm
O8 - Extra context menu item: Download selected links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addsellinks.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe
O9 - Extra 'Tools' menuitem: &WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131673724281
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - e:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - e:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton Ghost - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



Incident Status Location

Adware:Adware/SearchAid No disinfected C:\WINDOWS\addde32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\addjr32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\addpb.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\addqm32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\addxg32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apifh32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apigu.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apilv.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apiov32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apisg32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apisn.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apitr.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\appkj32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\appwe.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\appyo.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\appyt32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\atlnp.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\atlre.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\crcq.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\crpv.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\crtq32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\crul.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\d3mk.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\d3ui32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\d3vv32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ieew.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\iezf.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipdx.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipnc.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipoo.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ippa.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\javaba32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\javacc.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\mfcaa.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\mfcbx32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\mfcck32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\mfcvz32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\netnt32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\netyh32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\netyo.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ntee32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\nttl32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\sdkjl32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\sdkkx32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\sdksg.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\sdkwh32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\sdkwj.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\sysav.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\sysmm32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\addbh32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\addfs.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\addhq32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\addmb.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\addol32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\apiez32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\apiis32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\apiqd.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\apivx.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\apphf.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\applb.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\appoh.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\apprc32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\appud.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\appwp.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\atlhf.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\atllu.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\atltq32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\crkj.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\crnl32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\crqk32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\crre.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\crrw32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\crvp32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\d3ax32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\d3fq.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\d3jj32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\iedt32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\iegi32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ietz32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ipcz32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ipdf32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ipqs.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\javaml.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\javamu32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\javayr.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mfccr32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mfces.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mfcet32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mfcof.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mfcxj32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\msmi32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mstr32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\netto.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\netwm.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\netwz.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ntvv32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sdkct32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sdkqx.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sysdb.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\syseb.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\syshe.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sysmw.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\systw32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sysvg32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sysvi32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sysvy.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sysyn.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\winar.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\winzr32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\systx.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ujzmh.log
Adware:Adware/SearchAid No disinfected C:\WINDOWS\wincs.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\wingn.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\winjx.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\winkj.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\winld32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\winmh.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\winvf32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\winxi32.exe
  • 0

#8
Trevuren
Posted 16 November 2005 - 08:04 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please delete all those files. If there anre any that won't let themselves be deleted in regular mode, delete them at the same time you are deleting the prescribed files in Safe Mode later on in the fix.

Please print out these directions for in safe mode you will have to be disconnected from the internet. You should entirely disconnect (UNPLUG) from the internet!!!

We need to make all files and folders VISIBLE:
Go to start>control panel>folder options>view (tab)
*choose to "show hidden files and folders,"
*uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
*Close the window with ok
*All hidden files will now be visible


  • Reboot your system into safe mode for all OS

  • Close all windows and open HijackThis.
    • Click "scan only” in the main window
    • Put a checkmark beside the following entries and click “FIX checked”.

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
      R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702
      R3 - Default URLSearchHook is missing
      O2 - BHO: Class - {CAE597FF-4125-1680-10FC-D57418898CD3} - C:\WINDOWS\javags32.dll



  • Run CWShredder and choose FIX

  • Start AboutBuster and press START, and then OK. The program will start scanning. Please keep the About Buster log and post it in your next reply.

  • Doubleclick HomeSearchfix.reg to merge the info to the registry. You will be prompted to accept the merge, answer YES.

  • Using Windows Explorer, locate and DELETE the following files:

    C:\WINDOWS\system32\dgugf.dll
    C:\WINDOWS\javags32.dll


  • Reboot your system

  • After the reboot, Start AboutBuster AGAIN and scan AGAIN.

  • Clean temporary files:
    • Go > start > run and type cleanmgr and OK
    • Scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
    • Click OK to remove those files.
    • Click Yes to confirm deletion.



  • Download Ewido scan
    • Check for updates.
    • Let it do a full run.
    • Copy the log. Past it to a blank Notepad file and save it to post here.


  • Finally, run HijackThis, click SCAN, produce a LOG and POST it, the EWIDOscan log, and the About Buster log in this thread for review.
Regards,

Trevuren
  • 0

#9
honkin
Posted 16 November 2005 - 11:33 PM

honkin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
OK, booted to safe mode and none of the 4 entries appear in the new Hijack This log. Did a search and found javags32.dll, but no sign of dgugf.dll. Found 1 reference to it in the registry and deleted it.

CWShredder has consistantly found nothing and frankly I am not impressed with it, as others have continually found the CWS entries. About Blaster is clear, HSFix.reg is done.

Ewido found 3 things in the Norton recycle bin and 1 in the Documents and Settings folder - all cleaned.

Rebooted, About Buster still clear, the 4 entries in Hijack This were still there, so I removed them manually and rebooted. Ran Hijack This and they are gone.

Ran cleanmgr and also emptied Norton Protected Recycle Bin.

Here are the Hijack This log and Ewido log.

Thanks for your help.

Logfile of HijackThis v1.99.1
Scan saved at 2:11:02 PM, on 17/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
e:\Program Files\ewido\security suite\ewidoctrl.exe
e:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
E:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
E:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
e:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
E:\Program Files\Winamp\winampa.exe
C:\NOSPY.ORG\start1.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Program Files\PeerGuardian2\pg2.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\Program Files\Nikon\NkView6\NkvMon.exe
E:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
E:\Program Files\SpamBayes\bin\sb_tray.exe
E:\Program Files\SpywareGuard\sgmain.exe
E:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
e:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.google.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com.au
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - e:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - e:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Norton Ghost 9.0] E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MimBoot] e:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "e:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AnyDVD] "e:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] e:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [STARTPAGE] C:\NOSPY.ORG\start1.exe
O4 - HKLM\..\Run: [ScriptSentry] e:\Script Sentry\ScriptSentry.exe /check
O4 - HKLM\..\Run: [THGuard] "E:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] e:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe
O4 - Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe
O4 - Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe
O4 - User Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe
O4 - User Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Optical Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: NkvMon.exe.lnk = E:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download &this page with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addthis.htm
O8 - Extra context menu item: Download all &images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addimg.htm
O8 - Extra context menu item: Download all &links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addurl.htm
O8 - Extra context menu item: Download selected images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addselimgs.htm
O8 - Extra context menu item: Download selected links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addsellinks.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe
O9 - Extra 'Tools' menuitem: &WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131673724281
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - e:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - e:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton Ghost - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:00:25 PM, 17/11/2005
+ Report-Checksum: 6DEC7429

+ Scan result:

C:\RECYCLER\NPROTECT\00002017.dll -> Adware.SearchPage : Cleaned with backup
C:\RECYCLER\NPROTECT\00002018.dll -> Adware.SearchPage : Cleaned with backup
C:\RECYCLER\NPROTECT\00002019.dll -> Adware.SearchPage : Cleaned with backup
F:\Documents and Settings\Shane O'Sullivan\Local Settings\Temporary Internet Files\Content.IE5\K9ARS5UR\mm[2].js -> Spyware.Chitika : Cleaned with backup


::Report End
  • 0

#10
Trevuren
Posted 17 November 2005 - 12:23 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Well Done :tazz:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • First we need to make all files and folders VISIBLE:
    • Go to start>control panel>folder options>view (tab)
    • Choose to "show hidden files and folders,"
    • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
    • Close the window with ok
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [WinampAgent] e:\Program Files\Winamp\winampa.exe

  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System in Safe Mode

    How to use the F8 method to Start Your Computer in Safe Mode

    • Restart the computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    • Use the arrow keys to select the Safe mode menu item
    • Press Enter.
  • Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

    e:\Program Files\Winamp\winampa.exe<==Only this file

  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum for a final check. I expect your log to be clear. Please advise me of any outstanding malware-related problems that you may have. If all is clear, we will proceed with the final cleanup procedures.
Regards,

Trevuren

Edited by Trevuren, 17 November 2005 - 12:27 AM.

  • 0

#11
honkin
Posted 17 November 2005 - 03:50 PM

honkin

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanx heaps, dude. These things aren't dangerous, but boy do they piss you off.

I have followed advice found on this site to tighten my security regarding future attacks. All I did was browse to a website, for god's sake. An area that should be sacrosanct.

Oh, I know they're creative and clever little buggers who write these malicious codes, but I think if you ever met someone who told you they wrote virii and malware etc, you'd take a rather large stick to their head.

Here is the HJT log and thankx again for your help.

Logfile of HijackThis v1.99.1
Scan saved at 8:47:24 AM, on 18/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
e:\Program Files\ewido\security suite\ewidoctrl.exe
e:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
E:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
E:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\NOSPY.ORG\start1.exe
e:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Program Files\PeerGuardian2\pg2.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
E:\Program Files\Nikon\NkView6\NkvMon.exe
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\SpamBayes\bin\sb_tray.exe
E:\Program Files\SpywareGuard\sgmain.exe
E:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.google.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com.au
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - e:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - e:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Norton Ghost 9.0] E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MimBoot] e:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "e:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AnyDVD] "e:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [STARTPAGE] C:\NOSPY.ORG\start1.exe
O4 - HKLM\..\Run: [ScriptSentry] e:\Script Sentry\ScriptSentry.exe /check
O4 - HKLM\..\Run: [THGuard] "E:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] e:\Program Files\PeerGuardian2\pg2.exe
O4 - Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe
O4 - Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe
O4 - User Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe
O4 - User Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Optical Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: NkvMon.exe.lnk = E:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download &this page with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addthis.htm
O8 - Extra context menu item: Download all &images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addimg.htm
O8 - Extra context menu item: Download all &links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addurl.htm
O8 - Extra context menu item: Download selected images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addselimgs.htm
O8 - Extra context menu item: Download selected links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addsellinks.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe
O9 - Extra 'Tools' menuitem: &WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131673724281
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - e:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - e:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton Ghost - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#12
Trevuren
Posted 17 November 2005 - 04:00 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Re-hide your System Files and Folders to prevent any future accidents.

Reconfigure Windows XP to hide hidden files:
  • Click Start. Open My Computer.
  • Select the Tools menu and click Folder Options. Select the View Tab.
  • Under the Hidden files and folders heading deselect "Show hidden files and folders".
  • Check the "Hide protected operating system files (recommended)" option.
  • Click Yes to confirm. Click OK.
2. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE
  • Right-click "My Computer", and then left click "Properties".
  • Left click on "System Restore Tab"
  • Check box beside "Turn Off System Restore"
  • Left click on "Apply"
TO ENABLE SYSTEM RESTORE
  • Remove check mark from "Turn Off System Restore"
  • Click on "Apply"

3.Preventitive measures:

Please read and follow the following advice by TonyKlein on how to reduce the potential for spyware infection in the future:

How Did I Get Infected in the First Place


Regards,

Trevuren
  • 0

#13
Trevuren
Posted 20 November 2005 - 07:35 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP