Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

spyaxe in my tool bar, help! [resolved]

Started by tage , Nov 15 2005 09:19 AM

This topic is locked

#1
tage

Posted 15 November 2005 - 09:19 AM

Member

Member
13 posts

hi there. am having a bit of trouble with what i think is spyware. i have security alerts that have appeared in my tool bar that are trying to send me to an anti spyware program called spyaxe. i have fully up to date versions of avg, spyware blaster and spy bot search and destroy but they can't seem to find anything. a friend suggested i try hijack this, so here's my log! thanks very much for your help :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 15:00:31, on 15/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\BT Yahoo! Internet\ModemLock.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BT Yahoo! Internet\Watchdog.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\IC Media Corp\ICM532\Launchpad.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\SlimBrowser\sbrowser.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btopenworld.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btopenworld.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://morwillsearch...id=fish&sub_id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morwillsearch...id=fish&sub_id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: HomepageBHO - {7288c0bd-7f2f-4229-a0c4-3c90a6e2a881} - C:\WINDOWS\System32\hp6969.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Launchpad.lnk = ?
O4 - Global Startup: Microsoft Windows.hta
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O15 - Trusted Zone: *.morwillsearch.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://morwillsearch.com/mwsearch.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btin...bcontrol024.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{438014BD-87FA-46CE-9A88-33E9CAA9B439}: NameServer = 213.1.119.97 213.1.119.98
O17 - HKLM\System\CS1\Services\Tcpip\..\{438014BD-87FA-46CE-9A88-33E9CAA9B439}: NameServer = 213.1.119.97 213.1.119.98
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BT Modem Lock - British Telecommunications plc - C:\Program Files\BT Yahoo! Internet\ModemLock.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)

apologies if i've entered this all wrong. i'm a little slow when it comes to computers :$

#2
g2i2r4

Posted 16 November 2005 - 07:27 AM

retired HiJack Helper

Retired Staff
5,080 posts

Welcome tage to Geeks to Go!

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!

***

Go to Start > Run and type in Services.msc then click OK

Click the Extended tab.

Scroll down until you find the service:
ISEXEng

Click once on the service to highlight it.

Click Stop

Right-Click on the service.

Click on 'Properties'

Select the 'General' tab

Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

From the drop-down menu, click on 'Disabled'

Click the 'Apply' tab, then click 'OK'

The service is now stopped and disabled.

***

Please download noahdfear's smitRem.exe©. Save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop.

***

Please download the trial version of ewido security suite.Install ewido security suite
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

Launch ewido, there should be an icon on your desktop double-click it.
The program will prompt you to update click the OK button

The program will now go to the main screen
You will need to update ewido to the latest definition files.On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed, close Ewido for now.

***

If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.

***

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\System32\angelex.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If your computer does not restart automatically, please restart it manually.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://morwillsearch...id=fish&sub_id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://morwillsearch...id=fish&sub_id=

O15 - Trusted Zone: *.morwillsearch.com

O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://morwillsearch.com/mwsearch.cab

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back.

***

Open Ad-aware and do a full scan. Remove all it finds.

***

Now open Ewido Security Suite:* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
Reboot your computer.

***

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

***

Reboot back into Windows

Post a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.

#3
tage

Posted 16 November 2005 - 09:58 AM

Member

Topic Starter
Member
13 posts

ok been following the instructions but have come across a few problems which i've listed below!

1) killbox is telling me that the file C:\WINDOWS\System32\angelex.exe does not exist. this is possibly due to after me posting my hijack this list a friend of mine had look and may well of deleted it.

2) i am unable to run my computer in safe mode as every time i try it resets itself before i can enter my password.

anymore ideas, thanks for the help so far :tazz:

Edited by tage, 16 November 2005 - 10:03 AM.

#4
g2i2r4

Posted 16 November 2005 - 01:01 PM

retired HiJack Helper

Retired Staff
5,080 posts

See if you can do it in normal mode.

#5
tage

Posted 17 November 2005 - 02:19 PM

Member

Topic Starter
Member
13 posts

ok have followed all the instructions and so far so good. it seems to have done the job so thanks very much :tazz:

here's my logs and what not.

hijack this

Logfile of HijackThis v1.99.1
Scan saved at 20:12:22, on 17/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\BT Yahoo! Internet\ModemLock.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BT Yahoo! Internet\Watchdog.exe
C:\WINDOWS\System32\nvctrl.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IC Media Corp\ICM532\Launchpad.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btopenworld.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btopenworld.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: HomepageBHO - {7288c0bd-7f2f-4229-a0c4-3c90a6e2a881} - C:\WINDOWS\System32\hp6C97.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Launchpad.lnk = ?
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btin...bcontrol024.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BT Modem Lock - British Telecommunications plc - C:\Program Files\BT Yahoo! Internet\ModemLock.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 20:05:36, 17/11/2005
+ Report-Checksum: C81BBED5

+ Scan result:

HKLM\SOFTWARE\Classes\IETLBAss.DOMP -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\IETLBAss.DOMP\CLSID -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\IETLBAss.DOMP\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\IETLBAss.DOMP\CurVer -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\IETLBAss.DOMP.1 -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\IETLBAss.DOMP.1\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\MWSearch.StockBar\CLSID\\ -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\MWSearch.StockBar.1\CLSID\\ -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\MWSearch.tbactivator\CLSID\\ -> Spyware.ZToolbar : Cleaned with backup
HKLM\SOFTWARE\Classes\MWSearch.tbactivator.1\CLSID\\ -> Spyware.ZToolbar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\ISEXEng -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\ISEXEng\Security -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\ISEXEng\Enum -> Spyware.BargainBuddy : Cleaned with backup
[1820] C:\WINDOWS\System32\svchosts.dll -> Not-A-Virus.Downloader.Win32.Spax.a : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Windows.hta -> TrojanDropper.Inor.cj : Cleaned with backup
C:\Documents and Settings\Tage\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Tage\Cookies\[email protected][1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\ntdetect.hta -> TrojanDropper.Inor.cj : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\dba1380.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\system32\svchosts.dll -> Not-A-Virus.Downloader.Win32.Spax.a : Cleaned with backup

::Report End

smitRem © log file
version 2.7

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: 17/11/2005
The current time is: 19:30:19.73

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

Online Security Center.url

~~~ Favorites ~~~

Antivirus Test Online.url

~~~ system32 folder ~~~

msvol.tlb
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
mscornet.exe
hp***.tmp

~~~ Icons in System32 ~~~

ts.ico
ot.ico

~~~ Windows directory ~~~

Again thank you very much for the help. really appreciated

#6
g2i2r4

Posted 18 November 2005 - 08:36 AM

retired HiJack Helper

Retired Staff
5,080 posts

Believe me, looking at the log, we're not done yet.

Please see if you can run the runthis.bat in save mode now.

Remove the c:\windows\1024 folder if it exists.

Reboot to normal mode and post me the entire content of the smitfiles.txt please.

#7
tage

Posted 18 November 2005 - 12:25 PM

Member

Topic Starter
Member
13 posts

still won't run in safe mode so i ran it in normal mode these are the results.

smitRem © log file
version 2.7

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: 18/11/2005
The current time is: 18:11:58.23

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
mscornet.exe
hp***.tmp

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
mscornet.exe
hp***.tmp

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :tazz:

when you say remove the file, which program should i be using?

#8
g2i2r4

Posted 18 November 2005 - 02:46 PM

retired HiJack Helper

Retired Staff
5,080 posts

Use Windows Explorer to remove the folder 1024.

I'll consult the creator of the tool (the real expert on this infection) and the team to see what to do to remove the infection fully.

#9
g2i2r4

Posted 18 November 2005 - 03:21 PM

retired HiJack Helper

Retired Staff
5,080 posts

Miekiemoes advised us to remove the files and rerun the tool after that. Thank you Miekiemoes :tazz:

Let's do it:

Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options"
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Scan local drives for temporary files
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

Once it's done, press Close. Don't reboot yet.

***

Download the Killbox version 2.0.0.473 .
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\System32\ncompat.tlb
C:\WINDOWS\System32\nvctrl.exe
C:\WINDOWS\System32\mscornet.exe

For these files, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Rerun runthis.bat and post me the new smitfiles.txt and a fresh HijackThis log to check.

#10
tage

Posted 19 November 2005 - 06:29 AM

Member

Topic Starter
Member
13 posts

windows won't let me delete the file 1024 a message pops up saying "Cannot delete file: Cannot read from the source file or disk"

but ill carry on with your other instructions though :tazz:

#11
tage

Posted 19 November 2005 - 07:09 AM

Member

Topic Starter
Member
13 posts

right i've followed your instructions and these are my latest logs :tazz:

smitRem © log file
version 2.7

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: 19/11/2005
The current time is: 13:03:36.69

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!

Logfile of HijackThis v1.99.1
Scan saved at 13:08:45, on 19/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\BT Yahoo! Internet\ModemLock.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\BT Yahoo! Internet\Watchdog.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IC Media Corp\ICM532\Launchpad.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SlimBrowser\sbrowser.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btopenworld.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btopenworld.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINDOWS\System32\hpCE5C.tmp (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Launchpad.lnk = ?
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btin...bcontrol024.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{438014BD-87FA-46CE-9A88-33E9CAA9B439}: NameServer = 213.1.119.99 213.1.119.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{438014BD-87FA-46CE-9A88-33E9CAA9B439}: NameServer = 213.1.119.99 213.1.119.100
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BT Modem Lock - British Telecommunications plc - C:\Program Files\BT Yahoo! Internet\ModemLock.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

#12
g2i2r4

Posted 19 November 2005 - 08:06 AM

retired HiJack Helper

Retired Staff
5,080 posts

Can you reboot and post me a fresh HijackThis log?

#13
tage

Posted 19 November 2005 - 02:58 PM

Member

Topic Starter
Member
13 posts

yep sure, here it is.

Logfile of HijackThis v1.99.1
Scan saved at 20:53:12, on 19/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\BT Yahoo! Internet\ModemLock.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BT Yahoo! Internet\Watchdog.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IC Media Corp\ICM532\Launchpad.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btopenworld.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btopenworld.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINDOWS\System32\hpCE5C.tmp (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Launchpad.lnk = ?
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btin...bcontrol024.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BT Modem Lock - British Telecommunications plc - C:\Program Files\BT Yahoo! Internet\ModemLock.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

#14
g2i2r4

Posted 20 November 2005 - 09:05 AM

retired HiJack Helper

Retired Staff
5,080 posts

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINDOWS\System32\hpCE5C.tmp (file missing)

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

Reboot the computer.

Is the computer running ok?
If so, shall I post you some tips for the future and close this topic?