Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Got rid of Spyaxe...Now its gatorpatch! Logs enclosed [CLOSED]

Started by stargirl , Dec 19 2005 10:56 AM

This topic is locked

#1
stargirl

Posted 19 December 2005 - 10:56 AM

New Member

Member
6 posts

Hi, I did all of the preparation for this. The problem is that I got infected with Spytrooper. I don't know how. My mom logged in last night, and a disgusting window popped up. Neither of us look at that kind of stuff! Then it bumped her off, so she logged in again and spytrooper site is now the homepage and she can't fix it. I noticed something wrong a couple of days ago and tried to fix it. I got rid of most of it using smitrin...but It still is doing the browser hijack thing. PLEASE PLEASE PLEASE HELP!!!

Thank you in advance!

Ewido log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:41:55 AM, 12/19/2005
+ Report-Checksum: 4CC5E639

+ Scan result:

C:\Documents and Settings\Jessica Green\Cookies\jessica green@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned without backup
C:\Documents and Settings\Jessica Green\Cookies\jessica [email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\Jessica Green\Cookies\jessica [email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned without backup
C:\Documents and Settings\Jessica Green\Cookies\jessica green@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned without backup
C:\Documents and Settings\Jessica Green\Cookies\jessica green@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned without backup

::Report End

Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 11:48:55 AM, on 12/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvctrl.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Common Files\AOL\1124492871\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124492871\ee\AOLServiceHost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Bluelight Internet\exec.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\1124492871\ee\AOLServiceHost.exe
C:\Program Files\Bluelight Internet\exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jessica Green\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mybluelig...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mybluelig...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mybluelig...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.companion....com/search?p=%s
O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\System32\hpA19F.tmp
O3 - Toolbar: Browser Bar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRA~1\BLUELI~1\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MyBlueLight - {25EEFF3E-58EE-4811-95CC-78F922605006} - C:\Program Files\BlueLight Internet\toolbar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124492871\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [uoltray] C:\Program Files\Bluelight Internet\exec.exe regrun
O4 - HKCU\..\Run: [BlueLight_uoltray] C:\Program Files\Bluelight Internet\exec.exe regrun
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .qcp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potd_x.cab
O16 - DPF: Yahoo! Reversi - http://download.game...nts/y/rt0_x.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.co...pside_web18.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1135008055968
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://viewers.multi...MINIBrowser.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...ebio5_0_2_7.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2568E186-D058-4D50-8146-7200ED40E307}: NameServer = 64.136.20.121 64.136.28.121
O17 - HKLM\System\CS1\Services\Tcpip\..\{2568E186-D058-4D50-8146-7200ED40E307}: NameServer = 64.136.20.121 64.136.28.121
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Edited by stargirl, 19 December 2005 - 05:57 PM.

#2
lovethepirk

Posted 19 December 2005 - 11:18 AM

Visiting Staff

Member
528 posts

Welcome to G2G forums.

If you had an earlier version of Smitrem fix please delete it as it has been updated possibly since you ran it last.

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

First I suggest you navigate using windows explorer to this file and delete it:
c:\counter.cab

Then download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Update Ewido now, we need to run it again later.

If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup
Again, do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Scan with HijackThis again and place a check next to these items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.companion....com/search?p=%s

O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\System32\hpA19F.tmp

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab

Close all other windows except HijackThis, and hit Fix Checked

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

Next, run Ad-aware and perform a full scan. Remove everything found.

Now open Ewido Security Suite

Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file. Save that file for us later.
Close Ewido

Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.

Restart your computer in normal mode.

Run the Panda online virus scan at http://www.pandasoft.../activescan.htm

- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the Ewido scan and the log from the smitRem tool, which will be located at C:\smitfiles.txt.
Let us know if any problems persist.

Edited by lovethepirk, 19 December 2005 - 11:19 AM.

#3
stargirl

Posted 19 December 2005 - 11:22 AM

New Member

Topic Starter
Member
6 posts

Only one problem, what's windows explorer?

#4
lovethepirk

Posted 19 December 2005 - 12:17 PM

Visiting Staff

Member
528 posts

Right click on your "start" icon in the lower left of the computer and choose "explorer". Then click the "local disk (c:)" line and look in the right panel for this file and delete it by right clicking the file and choose delete.
c:\counter.cab

If you cannot do this you can just continue on with the fix :tazz:

#5
stargirl

Posted 19 December 2005 - 02:51 PM

New Member

Topic Starter
Member
6 posts

Ok, I did everything but according to the panda scan I still have a virus.

Current Hijack This Log

Logfile of HijackThis v1.99.1
Scan saved at 3:44:42 PM, on 12/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Bluelight Internet\exec.exe
C:\Program Files\Bluelight Internet\exec.exe
C:\Program Files\Common Files\AOL\1124492871\ee\AOLHostManager.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\AOL\1124492871\ee\AOLServiceHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\1124492871\ee\AOLServiceHost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Jessica Green\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O3 - Toolbar: Browser Bar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRA~1\BLUELI~1\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MyBlueLight - {25EEFF3E-58EE-4811-95CC-78F922605006} - C:\Program Files\BlueLight Internet\toolbar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124492871\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [uoltray] C:\Program Files\Bluelight Internet\exec.exe regrun
O4 - HKCU\..\Run: [BlueLight_uoltray] C:\Program Files\Bluelight Internet\exec.exe regrun
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .qcp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potd_x.cab
O16 - DPF: Yahoo! Reversi - http://download.game...nts/y/rt0_x.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.co...pside_web18.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1135008055968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://viewers.multi...MINIBrowser.CAB
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...ebio5_0_2_7.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Ewido

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:17:17 PM, 12/19/2005
+ Report-Checksum: 9283F04D

+ Scan result:

C:\Documents and Settings\Jessica Green\Cookies\jessica green@com[2].txt -> Spyware.Cookie.Com : Cleaned without backup
C:\Documents and Settings\Jessica Green\Desktop\backups\backup-20051219-131549-155.dll -> Downloader.Zlob.dd : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000017.tlb -> Trojan.Puper.bt : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000023.exe -> Dropper.Mudrop.ao : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000024.exe -> Downloader.Zlob.by : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000035.tlb -> Trojan.Puper.bt : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000048.tlb -> Trojan.Puper.bt : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000096.tlb -> Trojan.Puper.bt : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000131.exe -> Downloader.Zlob.dd : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000132.exe -> Downloader.Zlob.dd : Cleaned without backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000134.tlb -> Trojan.Puper.bt : Cleaned without backup

::Report End

Panda Activescan

Incident Status Location

Virus:Trj/Downloader.AEE Not disinfected C:\Documents and Settings\Jessica Green\Desktop\backups\backup-20051219-131549-426.inf
Adware:adware/gator Not disinfected C:\GatorPatch.log

SMITREM report

Sorry I forgot to put the smitrem file

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 12/19/2005
The current time is: 13:16:39.31

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

Online Security Guide.url

~~~ Favorites ~~~

~~~ system32 folder ~~~

1024 dir
msvol.tlb
ncompat.tlb
mscornet.exe
hp***.tmp

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 712 'explorer.exe'
Killing PID 712 'explorer.exe'

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

Online Security Guide.url

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!

Thank you for all of your support thus far and I hope you help me fix this.

Edited by stargirl, 19 December 2005 - 03:35 PM.

#6
stargirl

Posted 19 December 2005 - 02:55 PM

New Member

Topic Starter
Member
6 posts

Umm...I really need the help...

Edited by stargirl, 19 December 2005 - 03:38 PM.

#7
lovethepirk

Posted 20 December 2005 - 11:26 AM

Visiting Staff

Member
528 posts

Stargirl,

Use windows explorer again(right click start > choose explore) and delete this file:
C:\GatorPatch.log

Other than that you look clean, are you having any more issues?

Run this excellent online scan for me:
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post with another HJT log.

#8
lovethepirk

Posted 31 December 2005 - 01:23 AM

Visiting Staff

Member
528 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.