Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

malware help [CLOSED]


  • This topic is locked This topic is locked

#1
cocobunnylove

cocobunnylove

    New Member

  • Member
  • Pip
  • 3 posts
I did everything up to posting this. The steps helped to fix some problems, but the major one i still see is the SpyAxe that says 'your computer is infected!' and the alerts for spyware programs running. here is the hackthis log and thanks in advance for any help

Logfile of HijackThis v1.99.1
Scan saved at 2:10:02 AM, on 11/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\sstray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Silicon Image\Java SATARaid\SiITray.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Perry\Desktop\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINDOWS\system32\hp1AB3.tmp
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [zclsnqf] C:\WINDOWS\zclsnqf.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124258143\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [BJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [0ll6i5oe] C:\WINDOWS\system32\0ll6i5oe.exe
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Java SATARaid.lnk = C:\Program Files\Silicon Image\Java SATARaid\run.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\Ers_src.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c8.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.1.74.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127335627390
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF06F178-C40F-405C-9F45-24616B38EF35}: NameServer = 151.164.1.8,206.13.28.12
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi cocobunnylove and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.


A. 1. Download the following self-extracting file smitRem.exe and save the file to your DESKTOP.
  • Double click the Smitrem.exe icon on your Desktop.
  • Then click Run>Start and a Smitrem folder will apear on your desktop also.



2. Place a shortcut to Panda ActiveScan on your desktop.


3. Download the trial version of Ewido Security Suite


4. Install Ad-Aware SE 1.06, follow these download and setup instructions.
5. REBOOT your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

6. Now open HJT, click SCAN and place a checkmark next to each of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINDOWS\system32\hp1AB3.tmp
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [zclsnqf] C:\WINDOWS\zclsnqf.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [0ll6i5oe] C:\WINDOWS\system32\0ll6i5oe.exe
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c8.cab



7. Click the Fix Checked box and EXIT HJT


8. Using Windows Explorer, please locate and DELETE the following files/folders (with all their content), if they are still present:

C:\WINDOWS\system32\mssearchnet.exe
C:\Program Files\Viewpoint<==Folder
C:\WINDOWS\system32\hp1AB3.tmp
C:\WINDOWS\zclsnqf.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\0ll6i5oe.exe
C:\Program Files\SpyAxe



9. Open the smitRem folder
  • Double click the RunThis.bat file to start the tool.
  • Follow the prompts on screen.
  • Wait for the tool to complete and disk cleanup to finish.
  • NOTE:The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
  • Please post that log along with all others requested in your next reply.

10. Open Ad-aware and do a full scan. Let ir remove all it finds.


11. Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
  • Close Ewido

12. Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.


13. REBOOT back into Normal Mode


14. Click the Panda ActiveScan shortcut
  • Do a full system scan.
  • Make sure the autoclean box is checked!

15. Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.



B. Please download SpyAxeFix.exe © noahdfear and save it to your desktop.
  • Close all other programs and windows.
  • Double click SpyAxeFix.exe
  • Then click Start to extract the tool to it's own folder.
  • Open the SpyAxeFix folder
  • Double click the SpyAxeFix.bat to start the tool.
  • At one point when the tool runs, your taskbar will dissappear (this is normal)
  • Your computer will restart when the tool completes.
  • A text file named spyaxe.txt will be created in the SpyAxeFix folder.
  • Please post the contents of that log.

C. In summary, here is the list of reports that I need you to post in your next reply:
  • smitfiles.txt
  • Ewido.log
  • Hjt log
  • Panda Active Scan log
  • spyaxe.txt
Regards,

Trevuren

  • 0

#3
cocobunnylove

cocobunnylove

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thanks for all your help. The SpyAxe problem is no more, as well as some other fixes. Here is the 5 logs you requested, please let me know if I need to take care of anymore potential problems I havent yet experienced. Thanks again for all your help:


smitRem © log file
version 2.7

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 11/26/2005
The current time is: 14:05:47.51

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Center.url


~~~ Favorites ~~~



~~~ system32 folder ~~~

1024 dir
msvol.tlb
ld****.tmp
ncompat.tlb
nvctrl.exe
mscornet.exe


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :tazz:



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:53:43 PM, 11/26/2005
+ Report-Checksum: AB7BB07D

+ Scan result:

No infected objects found.


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 6:59:37 PM, on 11/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\javaw.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Silicon Image\Java SATARaid\SiITray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Perry\Desktop\hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124258143\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [BJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Java SATARaid.lnk = C:\Program Files\Silicon Image\Java SATARaid\run.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\Ers_src.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.1.74.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127335627390
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF06F178-C40F-405C-9F45-24616B38EF35}: NameServer = 151.164.1.8,206.13.28.12
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



Incident Status Location

Adware:Adware/SpyAxe Not disinfected C:\WINDOWS\system32\svchosts.dll
Adware:adware/ezula Not disinfected C:\WINDOWS\SYSTEM32\ezPopStub.exe
Adware:adware/spyaxe Not disinfected C:\WINDOWS\SYSTEM32\svchosts.dll
Adware:adware/antivirus-gold Not disinfected Windows Registry
Adware:Adware/Findspy Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-57cd60ac-1a82934b.class
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-18e37ef9.zip[a.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-18e37ef9.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-18e37ef9.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1e6e3e2d-3a0f3e05.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1e6e3e2d-3a0f3e05.zip[VB.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1e6e3e2d-3a0f3e05.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1e6e3e2d-3a0f3e05.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-22a63c8b-4231a749.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-22a63c8b-4231a749.zip[VB.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-22a63c8b-4231a749.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-22a63c8b-4231a749.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2c7604b9-105f0b4c.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2c7604b9-105f0b4c.zip[VB.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2c7604b9-105f0b4c.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2c7604b9-105f0b4c.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3138c7ae-584064c3.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3138c7ae-584064c3.zip[VB.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3138c7ae-584064c3.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3138c7ae-584064c3.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-44eca4b9-624c1788.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-44eca4b9-624c1788.zip[VB.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-44eca4b9-624c1788.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-44eca4b9-624c1788.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4cef5710-33b9ffea.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4cef5710-33b9ffea.zip[VB.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4cef5710-33b9ffea.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4cef5710-33b9ffea.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5058255e-34f97e0f.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5058255e-34f97e0f.zip[VB.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5058255e-34f97e0f.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5058255e-34f97e0f.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-583cd6bc-22add9c5.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-583cd6bc-22add9c5.zip[VB.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-583cd6bc-22add9c5.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-583cd6bc-22add9c5.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5b5cf5ad-567a6013.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5b5cf5ad-567a6013.zip[VB.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5b5cf5ad-567a6013.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5b5cf5ad-567a6013.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-656840da-6a7fd7a9.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-656840da-6a7fd7a9.zip[VB.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-656840da-6a7fd7a9.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-656840da-6a7fd7a9.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6759854-72056e6d.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6759854-72056e6d.zip[VB.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6759854-72056e6d.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6759854-72056e6d.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6eb5530e-69c8f0b1.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6eb5530e-69c8f0b1.zip[VB.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6eb5530e-69c8f0b1.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6eb5530e-69c8f0b1.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-75cf5087-31cf143c.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-75cf5087-31cf143c.zip[VB.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-75cf5087-31cf143c.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-75cf5087-31cf143c.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-76f8dd98-1066fd86.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-76f8dd98-1066fd86.zip[VB.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-76f8dd98-1066fd86.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-76f8dd98-1066fd86.zip[Beyond.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-dc92043-718bf65c.zip[Jvb.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1908c9ec-3c56b408.zip[GetAccess.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1908c9ec-3c56b408.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1908c9ec-3c56b408.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1908c9ec-3c56b408.zip[Installer.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1cf39f94-2c92d454.zip[GetAccess.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1cf39f94-2c92d454.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1cf39f94-2c92d454.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1cf39f94-2c92d454.zip[Installer.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-6d5b1513.zip[GetAccess.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-6d5b1513.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-6d5b1513.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-6d5b1513.zip[Installer.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-793fe9c2-29bd1783.zip[GetAccess.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-793fe9c2-29bd1783.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-793fe9c2-29bd1783.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-793fe9c2-29bd1783.zip[Installer.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-93c2850-709b4fe7.zip[GetAccess.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-93c2850-709b4fe7.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-93c2850-709b4fe7.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-93c2850-709b4fe7.zip[Installer.class]
Virus:Trj/ClassLoader.J Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-2a1f473-78d77367.zip[Beyond.class]
Virus:Trj/ClassLoader.J Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-2a1f473-78d77367.zip[BlackBox.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-2a1f473-78d77367.zip[Dummy.class]
Virus:Trj/ClassLoader.J Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-2a1f473-78d77367.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-5a82fcd8-35ec6bbc.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-7e53dfc1.zip[GetAccess.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-7e53dfc1.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-7e53dfc1.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Perry\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-7e53dfc1.zip[Installer.class]
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\inf\bi8.inf
Adware:Adware/eZula Not disinfected C:\WINDOWS\system32\ezPopStub.exe
Adware:Adware/SpyAxe Not disinfected C:\WINDOWS\system32\svchosts.dll


SpyAxeFix © by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 11/26/2005
The current time is: 18:53:40.64




Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1720 'explorer.exe'


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

svchosts.dll present

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"



Thanks again!
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
A. Please download the Killbox by Option^Explicit.

Note:In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select
    • "Delete on Reboot
    • From the main Killbox Window, Select Options>>Delete on Reboot>>Process all in List
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

    C:\WINDOWS\system32\javaw.exe
    C:\WINDOWS\system32\svchosts.dll
    C:\WINDOWS\SYSTEM32\ezPopStub.exe



  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.

2. Please post a fresh HJT log

Regards,

Trevuren

  • 0

#5
cocobunnylove

cocobunnylove

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I believe I did everything correctly, I couldnt find the files when searching after the reboot. Here is the new log:



Logfile of HijackThis v1.99.1
Scan saved at 6:40:49 PM, on 11/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Perry\Desktop\hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124258143\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [BJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Java SATARaid.lnk = C:\Program Files\Silicon Image\Java SATARaid\run.bat
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\Ers_src.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.1.74.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127335627390
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF06F178-C40F-405C-9F45-24616B38EF35}: NameServer = 151.164.1.8,206.13.28.12
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



Thanks again for everything and let me know if everything has been solved!
  • 0

#6
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • First we need to make all files and folders VISIBLE:
    • Go to start>control panel>folder options>view (tab)
    • Choose to "show hidden files and folders,"
    • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
    • Close the window with ok
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\Ers_src.htm

  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System in Safe Mode

    How to use the F8 method to Start Your Computer in Safe Mode

    • Restart the computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    • Use the arrow keys to select the Safe mode menu item
    • Press Enter.
  • Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

    C:\WINDOWS\Web\Ers_src.htm

  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.

Please also tell me if you are aware of any problems that could be due to the presence of more malware on your machine.

Regards,

Trevuren

  • 0

#7
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP