Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Got a few issues

Started by ginger911 , Dec 20 2005 05:18 PM

  • Please log in to reply

#1
ginger911
Posted 20 December 2005 - 05:18 PM

ginger911

    Member

  • Member
  • PipPip
  • 18 posts
hi, here are my logs. This thing is driving me nuts.


Logfile of HijackThis v1.99.1
Scan saved at 5:10:33 PM, on 12/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\MacroMed\Flash\GetFlash.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Security Tools\ewido\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\0caff7z.exe
C:\WINDOWS\system32\0caff7z.exe
C:\WINDOWS\system32\0caff7z.exe
C:\WINDOWS\system32\0caff7z.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\0caff7z.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Security Tools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wapp.verizon....ie&bm=yh_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon....1_ie&bm=yh_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.shawneelink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\ll0.dll
O2 - BHO: SDWin32 Class - {93B5DCF9-A91A-41E3-9AF5-DCCF5DF0DB77} - C:\WINDOWS\System32\orrbh.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll (file missing)
O4 - HKLM\..\Run: [htageaa] C:\WINDOWS\System32\htageaa.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\RunOnce: [hzqzfv9.exe] C:\WINDOWS\system32\hzqzfv9.exe /k
O4 - HKCU\..\Run: [msencode] C:\WINDOWS\System32\msencode.exe
O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\System32\d3d8.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINDOWS\System32\196_150_ni.exe
O4 - HKCU\..\Run: [197_150_ni_4] C:\WINDOWS\System32\197_150_ni_4.exe
O4 - HKCU\..\Run: [198_150_ni_3] C:\WINDOWS\System32\198_150_ni_3.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [hzqzfv9.exe] C:\WINDOWS\system32\hzqzfv9.exe /k
O4 - Global Startup: Instant Update Reminder.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {354A56A8-738A-4D48-817D-58F90B7EC0E6} - http://www.shawneelink.net/support/ (file missing) (HKCU)
O9 - Extra button: SLU - {48D8AF06-65C3-4ECF-82AD-DA1B4302BB08} - http://slu.shawneelink.net (file missing) (HKCU)
O9 - Extra button: User Area - {688D4C17-1B0A-4F2E-BEE5-177F0EE846F0} - http://www.shawneelink.net/users/ (file missing) (HKCU)
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.shawneelink.net
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103038930889
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Security Tools\ewido\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Security Tools\ewido\ewido anti-malware\ewidoguard.exe
O23 - Service: kbdal - Unknown owner - C:\WINDOWS\system32\kbdal.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe



Also I did an Ewido scan and it came up with this.


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:03:49 PM, 12/20/2005
+ Report-Checksum: C83887D9

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9E992732-295F-4987-8BE3-16FAC1639198} -> Spyware.FastFind : Cleaned with backup
HKLM\SOFTWARE\Classes\Common.Buttons -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{0F2A4ADC-DABF-4980-8DB4-19F67D7B1F95} -> Spyware.ClearSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{49DB48FF-02B5-4645-B676-94A4DF1AA026} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6E0ED53C-9908-49ED-B055-7CB31B162577} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{830D3AED-2FA9-454F-B266-D931862BBF34} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8C53BD8E-B12D-4C8F-AD0E-C9DDC39D1273} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9BCDD51B-4A7B-446C-8452-D32D38004582} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{A986F4DB-792E-4571-8974-0BB6E024766F} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BCCAB53D-0895-40C3-A942-A03538CE227A} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C0F88E9E-DCEB-4655-968A-AE508A677C39} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D7EAC2D8-2D52-4010-A4AD-DFDF60C1706C} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\SWRT01.RT -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\SWRT01.RT\Clsid -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{5E594162-60A9-487D-84B8-DBDD716CB862} -> Spyware.VirtualBouncer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06} -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\VoiceIPDll.VoiceIPDllObj.1 -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\WinAffiliateBHO.WinAffiliateIEExtensi.1 -> Spyware.MidAddle : Cleaned with backup
HKLM\SOFTWARE\Classes\WinAffiliateBHO.WinAffiliateIEExtension -> Spyware.MidAddle : Cleaned with backup
HKLM\SOFTWARE\Classes\WinAffiliateBHO.WinAffiliateIEExtension\CLSID -> Spyware.MidAddle : Cleaned with backup
HKLM\SOFTWARE\Classes\WinAffiliateBHO.WinAffiliateIEExtension\CurVer -> Spyware.MidAddle : Cleaned with backup
HKLM\SOFTWARE\Dsi -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\MaxSpeed -> Spyware.Maxspeed : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{120E090D-9136-4b78-8258-F0B44B4BD2AC} -> Spyware.Maxspeed : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{120E090D-9136-4b78-8258-F0B44B4BD2AC} -> Spyware.Maxspeed : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8F9FBEB8-D216-4d6c-8D21-513157E09C0D} -> Spyware.Maxspeed : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22B9A67D-E689-44B6-B775-0E8FE84B4F9B} -> Spyware.Hijacker.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MirrorUnder -> Spyware.ClearSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpiderSidebar -> Spyware.ClearSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UrlSidebar -> Spyware.ClearSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{120E090D-9136-4b78-8258-F0B44B4BD2AC} -> Spyware.Maxspeed : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8F9FBEB8-D216-4d6c-8D21-513157E09C0D} -> Spyware.Maxspeed : Cleaned with backup
HKU\.DEFAULT\Software\Toolbar -> Spyware.WebSearch : Cleaned with backup
HKU\.DEFAULT\Software\Toolbar\PlugIns -> Spyware.WebSearch : Cleaned with backup
HKU\.DEFAULT\Software\Toolbar\PlugIns\COMMON -> Spyware.WebSearch : Cleaned with backup
HKU\.DEFAULT\Software\Toolbar\Server -> Spyware.WebSearch : Cleaned with backup
HKU\.DEFAULT\Software\VoiceIP -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-2014835873-598665437-431110056-1003\Software\Bundles -> Spyware.SecondThought : Cleaned with backup
HKU\S-1-5-21-2014835873-598665437-431110056-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{120E090D-9136-4B78-8258-F0B44B4BD2AC} -> Spyware.Maxspeed : Cleaned with backup
HKU\S-1-5-21-2014835873-598665437-431110056-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{22B9A67D-E689-44B6-B775-0E8FE84B4F9B} -> Spyware.Hijacker.Generic : Cleaned with backup
HKU\S-1-5-21-2014835873-598665437-431110056-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A78860C8-EE1A-46DF-A97F-E3E6D433E80B} -> Spyware.AdTomi : Cleaned with backup
HKU\S-1-5-21-2014835873-598665437-431110056-1003\Software\VoiceIP -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-18\Software\Toolbar -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-18\Software\Toolbar\PlugIns -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-18\Software\Toolbar\PlugIns\COMMON -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-18\Software\Toolbar\Server -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-18\Software\VoiceIP -> Spyware.BetterInternet : Cleaned with backup
[1348] C:\WINDOWS\system32\test.bmp -> Trojan.Small : Error during cleaning
[1540] C:\WINDOWS\system32\kbdal.exe -> Downloader.Small : Cleaned with backup
[2904] C:\WINDOWS\System32\orrbh.dll -> Spyware.Adstart : Error during cleaning
[2036] C:\WINDOWS\system32\test.bmp -> Trojan.Small : Error during cleaning
C:\Documents and Settings\Owner\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0C.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\Documents and Settings\Owner\xNJSORKVYEY.exe -> Downloader.Agent.am : Cleaned with backup
C:\Documents and Settings\Owner\xPXMTSOPWQD.exe -> Downloader.Agent.am : Cleaned with backup
C:\Documents and Settings\Owner\xUSYTIYGHYI.exe -> Downloader.Agent.am : Cleaned with backup
C:\Program Files\IncrediFind -> Spyware.Incredifind : Cleaned with backup
C:\Program Files\IncrediFind\BHO -> Spyware.Incredifind : Cleaned with backup
C:\Program Files\IncrediFind\BHO\date.txt -> Spyware.Incredifind : Cleaned with backup
C:\Program Files\Lycos\IEagent\A_ClearSearch.DLL -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\Lycos\IEagent\csAOLldr.exe -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\Lycos\IEagent\FNuninstaller.EXE -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP102\A0067270.sys -> Trojan.Kolweb.g : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP102\A0067271.exe -> Trojan.Kolweb.g : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP102\A0067272.sys -> Trojan.Kolweb.g : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP102\A0067275.exe -> Trojan.Kolweb.g : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP102\A0067323.exe -> Dropper.SurfSide.a : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP75\A0055644.exe -> Downloader.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP79\A0059157.dll -> Downloader.Apropo.l : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP79\A0059158.exe -> Downloader.Apropo.l : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP79\A0059160.exe -> Downloader.Apropo.l : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP79\A0059161.dll -> Downloader.Apropo.l : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP79\A0059260.exe -> Downloader.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP80\A0059474.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP80\A0059475.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP80\A0059476.exe -> Trojan.Delf.cf : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP80\A0059477.dll -> Trojan.Kolweb.a : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP80\A0059478.exe -> Trojan.Delf.cf : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP80\A0059479.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP80\A0059485.exe -> Trojan.Kolweb.e : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP80\A0059489.dll -> Trojan.Kolweb.d : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP80\A0061820.exe -> Downloader.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP82\A0065049.sys -> Trojan.Kolweb.e : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP82\A0065050.dll -> Trojan.Kolweb.d : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP82\A0065051.exe -> Trojan.Kolweb.e : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP82\A0065052.exe -> Trojan.Delf.cf : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP82\A0065053.sys -> Trojan.Kolweb.e : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP82\A0065054.exe -> Trojan.Delf.cf : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP86\A0065255.exe -> Trojan.Kolweb.g : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP86\A0065256.exe -> Trojan.Kolweb.g : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP86\A0065258.dll -> Trojan.Kolweb.d : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP86\A0065262.exe -> Trojan.Delf.cf : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP86\A0065267.exe -> Trojan.Kolweb.g : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP86\A0065268.exe -> Trojan.Kolweb.g : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP92\A0066885.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP93\A0066921.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP94\A0066957.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP95\A0066993.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP96\A0067029.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP97\A0067173.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\aqadcup.exe -> Backdoor.Agent.co : Cleaned with backup
C:\WINDOWS\bsx32 -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ADBN2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ADVC5.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ADVCTX2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIWS3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\AUTOS2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\BID1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\BingoRoom1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\CARD2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\CARS3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\CASH2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\DATE4.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\DEBT1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\DENT1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\EECH1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\EML1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\FAST1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\FINC3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\FINC5.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\FLWR1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\FMND1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\HEAL5.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\HEBE2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\HERBS1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\HOGAR2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\INK1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\INSUR4.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\JOBS4.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\MORT4.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\MOVS2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\NEWS2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\OPPR2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\SHOP2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TECH2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMP1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMP2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TRVL5.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TV1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\UTONE2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\VENUE1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\WOMEN2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\XTFL2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\istinstall_si.exe -> Downloader.Small.gl : Cleaned with backup
C:\WINDOWS\SYSTEM32\acctres2.exe -> Downloader.3746.A : Cleaned with backup
C:\WINDOWS\SYSTEM32\adolib32.dll -> Downloader.Qoologic.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\bH.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\BO2802040113.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\BO2804040128.exe -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\SYSTEM32\bridge91.exe -> Spyware.IEDriver : Cleaned with backup
C:\WINDOWS\SYSTEM32\browser1.dll -> Downloader.3746.A : Cleaned with backup
C:\WINDOWS\SYSTEM32\calsdr.dll -> Downloader.Rameh.b : Cleaned with backup
C:\WINDOWS\SYSTEM32\calsdr.exe -> Dropper.Small.ff : Cleaned with backup
C:\WINDOWS\SYSTEM32\Cnpgkn32.exe -> Logger.Qukart : Cleaned with backup
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0LYB8PAR\kk[1].gif -> Logger.Qukart : Cleaned with backup
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0LYB8PAR\kk[2].gif -> Logger.Qukart : Cleaned with backup
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0LYB8PAR\kk[3].gif -> Logger.Qukart : Cleaned with backup
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0LYB8PAR\kk[4].gif -> Logger.Qukart : Cleaned with backup
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0LYB8PAR\x[1].exe -> Worm.Padobot.m : Cleaned with backup
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0LYB8PAR\x[2].exe -> Worm.Padobot.m : Cleaned with backup
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C8A72ME5\kk[1].gif -> Logger.Qukart : Cleaned with backup
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C8A72ME5\kk[2].gif -> Logger.Qukart : Cleaned with backup
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C8A72ME5\kk[3].gif -> Logger.Qukart : Cleaned with backup
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C8A72ME5\kk[4].gif -> Logger.Qukart : Cleaned with backup
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C8A72ME5\kk[5].gif -> Logger.Qukart : Cleaned with backup
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C8A72ME5\kk[6].gif -> Logger.Qukart : Cleaned with backup
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C8A72ME5\kk[7].gif -> Logger.Qukart : Cleaned with backup
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C8A72ME5\x[1].exe -> Worm.Padobot.m : Cleaned with backup
C:\WINDOWS\SYSTEM32\cvss.exe -> Downloader.Qoologic.b : Cleaned with backup
C:\WINDOWS\SYSTEM32\Fofeef32.dll -> Backdoor.Padodor.v : Cleaned with backup
C:\WINDOWS\SYSTEM32\Fqr9U5uF.exe -> Downloader.VB.em : Cleaned with backup
C:\WINDOWS\SYSTEM32\ftpupd.exe -> Worm.Padobot.m : Cleaned with backup
C:\WINDOWS\SYSTEM32\hbahead.exe -> Trojan.Painwin.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\hhidegn.dll -> Trojan.Painwin.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\hjbtq.exe -> Worm.Padobot.m : Cleaned with backup
C:\WINDOWS\SYSTEM32\hjifeer.sys -> Trojan.Painwin.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\hjiryfj.vxd -> Trojan.Painwin.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\hkageel.sys -> Trojan.Painwin.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\hmiwycr.exe -> Trojan.Painwin.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\hoaiyfr.vxd -> Trojan.Painwin.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\hpipebn.exe -> Trojan.Painwin.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\hraieba.exe -> Trojan.Painwin.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\huauycp.exe -> Trojan.Painwin.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\huiwegf.dll -> Trojan.Painwin.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\id113.exe -> Trojan.SecondThought.ak : Cleaned with backup
C:\WINDOWS\SYSTEM32\in10b6s.dll -> Adware.eZula : Cleaned with backup
C:\WINDOWS\SYSTEM32\in10bH.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\istinstall_143666.exe -> Downloader.IstBar.er : Cleaned with backup
C:\WINDOWS\SYSTEM32\jpdwuf.exe -> Logger.Qukart : Cleaned with backup
C:\WINDOWS\SYSTEM32\K404SearchSetup_MS18.exe -> Spyware.404Search : Cleaned with backup
C:\WINDOWS\SYSTEM32\kbdal.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\SYSTEM32\kbdcz.exe -> Trojan.Downloader.reqlook : Cleaned with backup
C:\WINDOWS\SYSTEM32\Lkofhn32.exe -> Logger.Qukart : Cleaned with backup
C:\WINDOWS\SYSTEM32\mirka3e.exe -> Trojan.Delf.cf : Cleaned with backup
C:\WINDOWS\SYSTEM32\Mjapgh32.dll -> Backdoor.Padodor.v : Cleaned with backup
C:\WINDOWS\SYSTEM32\ms.exe -> Downloader.Vb.Cw : Cleaned with backup
C:\WINDOWS\SYSTEM32\orrbhc.exe -> Spyware.Adstart : Cleaned with backup
C:\WINDOWS\SYSTEM32\orrbhf.exe -> Spyware.Adstart : Cleaned with backup
C:\WINDOWS\SYSTEM32\scxggb.exe -> Logger.Qukart : Cleaned with backup
C:\WINDOWS\SYSTEM32\Searchx.htm -> Spyware.TwainTech : Cleaned with backup
C:\WINDOWS\SYSTEM32\stubwinx.exe -> Spyware.IEDriver : Cleaned with backup
C:\WINDOWS\SYSTEM32\SWRT01.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\SYSTEM32\ui3.dll -> Trojan.Kolweb.f : Cleaned with backup
C:\WINDOWS\SYSTEM32\Wlsb9SH.exe -> Downloader.VB.em : Cleaned with backup
C:\WINDOWS\SYSTEM32\xCTSBWGVPFK.exe -> Downloader.Agent.am : Cleaned with backup
C:\WINDOWS\SYSTEM32\xKYYCPNNAJP.exe -> Downloader.Agent.am : Cleaned with backup
C:\WINDOWS\SYSTEM32\xLYEXWNJHAD.exe -> Downloader.Agent.am : Cleaned with backup
C:\WINDOWS\SYSTEM32\xRIVVUUNIUS.exe -> Downloader.Agent.am : Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__198_150_ni_3.exe -> Downloader.Agent.am : Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__orrbh.dll -> Spyware.Adstart : Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__test.bmp -> Trojan.Small : Cleaned with backup
C:\WINDOWS\Temp\~499301.tmp -> Downloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~778905.tmp -> Downloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~892989.tmp -> Downloader.WinTool : Error during cleaning
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup


::Report End


Thanks.
  • 0

Advertisements

#2
Excal
Posted 20 December 2005 - 05:29 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi ginger911 and welcome to GeeksToGo! My name is Excal and I will be helping you.


DOWNLOAD PROGRAMS

Download and install CleanUp! Here
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.


THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Open up and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

5. Close all browsers, windows and unneeded programs.

6. Open HiJack and do a scan.

7. Put a Check next to the following items:

O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\ll0.dll
O2 - BHO: SDWin32 Class - {93B5DCF9-A91A-41E3-9AF5-DCCF5DF0DB77} - C:\WINDOWS\System32\orrbh.dll (file missing)
O4 - HKLM\..\Run: [htageaa] C:\WINDOWS\System32\htageaa.exe
O4 - HKLM\..\RunOnce: [hzqzfv9.exe] C:\WINDOWS\system32\hzqzfv9.exe /k
O4 - HKCU\..\Run: [msencode] C:\WINDOWS\System32\msencode.exe
O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\System32\d3d8.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINDOWS\System32\196_150_ni.exe
O4 - HKCU\..\Run: [197_150_ni_4] C:\WINDOWS\System32\197_150_ni_4.exe
O4 - HKCU\..\Run: [198_150_ni_3] C:\WINDOWS\System32\198_150_ni_3.exe
O4 - HKCU\..\RunOnce: [hzqzfv9.exe] C:\WINDOWS\system32\hzqzfv9.exe /k
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: kbdal - Unknown owner - C:\WINDOWS\system32\kbdal.exe (file missing)

8. click the Fix Checked box

9. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\System32\htageaa.exe
C:\WINDOWS\System32\msencode.exe
C:\WINDOWS\System32\d3d8.exe
C:\WINDOWS\System32\196_150_ni.exe
C:\WINDOWS\System32\197_150_ni_4.exe
C:\WINDOWS\System32\198_150_ni_3.exe
C:\WINDOWS\system32\hzqzfv9.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\kbdal.exe

10. Run the program CleanUp!

11. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

12. Please post the Active scan log, Ewido Log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#3
ginger911
Posted 20 December 2005 - 11:57 PM

ginger911

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thanks for helping me, I still notice popups but the computer is running faster. I couldnt find the .exe files, I think my run of ewido in safe mode got them possibly?



Logfile of HijackThis v1.99.1
Scan saved at 11:12:31 PM, on 12/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Security Tools\ewido\ewido anti-malware\ewidoctrl.exe
C:\Security Tools\ewido\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Security Tools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wapp.verizon....ie&bm=yh_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon....1_ie&bm=yh_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.shawneelink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\ll0.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll (file missing)
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [UqQqft6B] C:\documents and settings\owner\local settings\temp\UqQqft6B.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [Sc] C:\documents and settings\owner\local settings\temp\Sc.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [r0zPs4aZ] C:\documents and settings\owner\local settings\temp\r0zPs4aZ.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [p72k3se] dxmmbed.exe
O4 - HKLM\..\Run: [orrbhc] C:\WINDOWS\System32\orrbhc.exe
O4 - HKLM\..\Run: [O7Z] C:\documents and settings\owner\local settings\temp\O7Z.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\System32\cvss.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [hir] C:\WINDOWS\hir.exe
O4 - HKLM\..\Run: [eyboardk] C:\WINDOWS\System32\eyboardk.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\hjbtq.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [azcattcusiqdx] C:\WINDOWS\System32\ffeagl.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [a1504dc972ef] C:\WINDOWS\System32\bridge91.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\QcfL.exe
O4 - HKLM\..\RunOnce: [hzqzfv9.exe] C:\WINDOWS\system32\hzqzfv9.exe /k
O4 - HKCU\..\Run: [msencode] C:\WINDOWS\System32\msencode.exe
O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\System32\d3d8.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINDOWS\System32\196_150_ni.exe
O4 - HKCU\..\Run: [197_150_ni_4] C:\WINDOWS\System32\197_150_ni_4.exe
O4 - HKCU\..\Run: [198_150_ni_3] C:\WINDOWS\System32\198_150_ni_3.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [YwtqRiK5V] edlgmgr.exe
O4 - HKCU\..\RunOnce: [hzqzfv9.exe] C:\WINDOWS\system32\hzqzfv9.exe /k
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {354A56A8-738A-4D48-817D-58F90B7EC0E6} - http://www.shawneelink.net/support/ (file missing) (HKCU)
O9 - Extra button: SLU - {48D8AF06-65C3-4ECF-82AD-DA1B4302BB08} - http://slu.shawneelink.net (file missing) (HKCU)
O9 - Extra button: User Area - {688D4C17-1B0A-4F2E-BEE5-177F0EE846F0} - http://www.shawneelink.net/users/ (file missing) (HKCU)
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.shawneelink.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103038930889
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Security Tools\ewido\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Security Tools\ewido\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:56:02 PM, 12/20/2005
+ Report-Checksum: D5D4D405

+ Scan result:

C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\WINDOWS\Temp\~499301.tmp -> Downloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~778905.tmp -> Downloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~892989.tmp -> Downloader.WinTool : Error during cleaning


::Report End
  • 0

#4
Excal
Posted 21 December 2005 - 04:49 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Yikes,you actually look more infected then you were, but thats OK. Something I missed the first time is that you do not have an anti virus installed, which is a bad thing. AVG is a very good free anti virus program, that I use on my own computer, but before we download that can you please do the following.

Go to start>control panel>add/remove programs. Remove Wintools.

we need to remove the pepper trojan. Download this file, run, and let terminate (it'll just blink briefly on your screen and won't appeared to have done much--this is normal): http://www.geekstogo...=download&id=18

Please download AVG

After its installed, update it then do a complete scan of your computer. After that, reboot and post a fresh HiJackthis log and we will get you cleaned up :)

:tazz:

Excal
  • 0

#5
ginger911
Posted 21 December 2005 - 08:13 PM

ginger911

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I forgot to put in the activescan results in my last post. so here they are. I will post again after this when I have followed the steps above.

Incident Status Location

Adware:Adware/Adtomi Not disinfected C:\WINDOWS\SYSTEM32\ll0.dll
Adware:adware/delfinmedia Not disinfected C:\PROGRAM FILES\COMMON FILES\remove_tools.html
Spyware:spyware/whazit Not disinfected C:\WINDOWS\SYSTEM32\fiz1
Adware:adware/browseraid Not disinfected C:\WINDOWS\SYSTEM32\inetp60.dll
Adware:adware/virtualbouncer Not disinfected C:\WINDOWS\SYSTEM32\INNERADINSTALL.LOG
Adware:adware/ist.istbar Not disinfected C:\WINDOWS\SYSTEM32\istinstall_154074.exe
Adware:adware/adlogix Not disinfected C:\WINDOWS\SYSTEM32\pacifisy.dll
Adware:adware/iedriver Not disinfected C:\WINDOWS\SYSTEM32\sub.dll
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll
Adware:adware/portalscan Not disinfected C:\WINDOWS\BUNDLES\2504040901.exe
Adware:adware/clickalchemy Not disinfected C:\WINDOWS\INF\alchem.inf
Spyware:spyware/betterinet Not disinfected C:\WINDOWS\INF\biini.inf
Adware:adware/powerstrip Not disinfected C:\WINDOWS\jawa32.dat
Adware:adware/ncase Not disinfected C:\WINDOWS\msbb.log
Adware:adware/twain-tech Not disinfected C:\WINDOWS\satmat.ini
Adware:adware/sidesearch Not disinfected C:\PROGRAM FILES\Lycos
Adware:adware/midaddle Not disinfected C:\PROGRAM FILES\COMMON FILES\midaddle
Adware:adware/keenvalue Not disinfected C:\PROGRAM FILES\COMMON FILES\updater
Adware:adware/wintools Not disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\Web Search Tools
Spyware:spyware/clearsearch Not disinfected Windows Registry
Virus:Trj/SubSearch.F Not disinfected C:\Documents and Settings\All Users\Application Data\IEService\IEService.dll
Virus:Trj/SubSearch.H Not disinfected C:\Documents and Settings\All Users\Application Data\IEService\v28.exe
Adware:Adware/DelFinMedia Not disinfected C:\Program Files\Common Files\remove_tools.html
Spyware:Spyware/BetterInet Not disinfected C:\Program Files\Common Files\updater\data1.dat
Spyware:Spyware/BetterInet Not disinfected C:\Program Files\Common Files\updater\data2.dat
Spyware:Spyware/ClearSearch Not disinfected C:\Program Files\Lycos\IEagent\CSIEINST.DLL
Adware:Adware/Adtomi Not disinfected C:\Security Tools\hijackthis\backups\backup-20051220-215057-694.dll
Spyware:Spyware/AdClicker Not disinfected C:\web.exe
Adware:Adware/AdDestroyer Not disinfected C:\WINDOWS\bundles\2504040901.exe
Adware:Adware/VirtualBouncer Not disinfected C:\WINDOWS\bundles\BundleOuter2517040728.exe
Adware:Adware/MyDailyHoroscopeNot disinfected C:\WINDOWS\bundles\setup_silent_17125.exe
Adware:Adware/TopRebates Not disinfected C:\WINDOWS\bundles\WebRebates_Auto_InstallSilent.exe
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\INF\alchem.inf
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\INF\biH.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\biini.inf
Adware:Adware/Transponder Not disinfected C:\WINDOWS\INF\polmx2.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\satmat.inf
Virus:Trj/Mirkaa.G Not disinfected C:\WINDOWS\mirka3b.exe
Virus:Trj/Mirkaa.H Not disinfected C:\WINDOWS\mirka3e.exe
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\satmat.ini
Adware:Adware/BHO Not disinfected C:\WINDOWS\SYSTEM32\2mc0.dll
Adware:adware/savenow Not disinfected C:\WINDOWS\SYSTEM32\datastore.dll
Adware:Adware/PortalScan Not disinfected C:\WINDOWS\SYSTEM32\id119.exe
Adware:Adware/BrowserAid Not disinfected C:\WINDOWS\SYSTEM32\inetp60.dll
Adware:Adware/Adtomi Not disinfected C:\WINDOWS\SYSTEM32\ll0.dll
Virus:Trj/Mirkaa.G Not disinfected C:\WINDOWS\SYSTEM32\mirka3b.exe
Adware:Adware/AdLogix Not disinfected C:\WINDOWS\SYSTEM32\orrbhd.exe
Adware:Adware/AdLogix Not disinfected C:\WINDOWS\SYSTEM32\unpack.exe
  • 0

#6
ginger911
Posted 21 December 2005 - 09:51 PM

ginger911

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
ok, I downloaded AVG and did the scan and it got rid of something, I also downloaded microsoft antispyware beta and it also got rid of some stuff it said.

Here is the new HJT log,

Logfile of HijackThis v1.99.1
Scan saved at 9:47:32 PM, on 12/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Security Tools\ewido\ewido anti-malware\ewidoctrl.exe
C:\Security Tools\ewido\ewido anti-malware\ewidoguard.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINDOWS\explorer.exe
C:\Security Tools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\ll0.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll (file missing)
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [UqQqft6B] C:\documents and settings\owner\local settings\temp\UqQqft6B.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [Sc] C:\documents and settings\owner\local settings\temp\Sc.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [r0zPs4aZ] C:\documents and settings\owner\local settings\temp\r0zPs4aZ.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [p72k3se] dxmmbed.exe
O4 - HKLM\..\Run: [orrbhc] C:\WINDOWS\System32\orrbhc.exe
O4 - HKLM\..\Run: [O7Z] C:\documents and settings\owner\local settings\temp\O7Z.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\System32\cvss.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [hir] C:\WINDOWS\hir.exe
O4 - HKLM\..\Run: [eyboardk] C:\WINDOWS\System32\eyboardk.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [azcattcusiqdx] C:\WINDOWS\System32\ffeagl.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [a1504dc972ef] C:\WINDOWS\System32\bridge91.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\QcfL.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [hzqzfv9.exe] C:\WINDOWS\system32\hzqzfv9.exe /k
O4 - HKCU\..\Run: [msencode] C:\WINDOWS\System32\msencode.exe
O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\System32\d3d8.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINDOWS\System32\196_150_ni.exe
O4 - HKCU\..\Run: [197_150_ni_4] C:\WINDOWS\System32\197_150_ni_4.exe
O4 - HKCU\..\Run: [198_150_ni_3] C:\WINDOWS\System32\198_150_ni_3.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [YwtqRiK5V] edlgmgr.exe
O4 - HKCU\..\RunOnce: [hzqzfv9.exe] C:\WINDOWS\system32\hzqzfv9.exe /k
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {354A56A8-738A-4D48-817D-58F90B7EC0E6} - http://www.shawneelink.net/support/ (file missing) (HKCU)
O9 - Extra button: SLU - {48D8AF06-65C3-4ECF-82AD-DA1B4302BB08} - http://slu.shawneelink.net (file missing) (HKCU)
O9 - Extra button: User Area - {688D4C17-1B0A-4F2E-BEE5-177F0EE846F0} - http://www.shawneelink.net/users/ (file missing) (HKCU)
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.shawneelink.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103038930889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Security Tools\ewido\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Security Tools\ewido\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
  • 0

#7
Excal
Posted 22 December 2005 - 01:03 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
ok, lets try to clean this up again :tazz:

we need to rerun the pepper trojan remover again, if you still have it on your computer, you don't need to redownload it. Download this file, run, and let terminate (it'll just blink briefly on your screen and won't appeared to have done much--this is normal): http://www.geekstogo...=download&id=18



THE FIX

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Go to Start->Run and type in services.msc and hit OK. Then look for BAD_SERVICE_GOES HERE and double click on it. Click on the Stop button and under Startup type, choose Disabled, then apply.

5. Open up and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

6. Close all browsers, windows and unneeded programs.

7. Open HiJack and do a scan.

8. Put a Check next to the following items:

O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\SYSTEM32\ll0.dll
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [UqQqft6B] C:\documents and settings\owner\local settings\temp\UqQqft6B.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [Sc] C:\documents and settings\owner\local settings\temp\Sc.exe
O4 - HKLM\..\Run: [r0zPs4aZ] C:\documents and settings\owner\local settings\temp\r0zPs4aZ.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [p72k3se] dxmmbed.exe
O4 - HKLM\..\Run: [orrbhc] C:\WINDOWS\System32\orrbhc.exe
O4 - HKLM\..\Run: [O7Z] C:\documents and settings\owner\local settings\temp\O7Z.exe
O4 - HKLM\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [hir] C:\WINDOWS\hir.exe
O4 - HKLM\..\Run: [eyboardk] C:\WINDOWS\System32\eyboardk.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [azcattcusiqdx] C:\WINDOWS\System32\ffeagl.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
O4 - HKLM\..\Run: [a1504dc972ef] C:\WINDOWS\System32\bridge91.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\QcfL.exe
O4 - HKLM\..\RunOnce: [hzqzfv9.exe] C:\WINDOWS\system32\hzqzfv9.exe /k
O4 - HKCU\..\Run: [msencode] C:\WINDOWS\System32\msencode.exe
O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\System32\d3d8.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINDOWS\System32\196_150_ni.exe
O4 - HKCU\..\Run: [197_150_ni_4] C:\WINDOWS\System32\197_150_ni_4.exe
O4 - HKCU\..\Run: [198_150_ni_3] C:\WINDOWS\System32\198_150_ni_3.exe
O4 - HKCU\..\Run: [YwtqRiK5V] edlgmgr.exe
O4 - HKCU\..\RunOnce: [hzqzfv9.exe] C:\WINDOWS\system32\hzqzfv9.exe /k
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

9. click the Fix Checked box

10. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

WildTangent CDA
Delphin Media Viewer

11. Please remove the following folders using Windows Explorer (if present):

C:\Program Files\WildTangent
C:\WINDOWS\system32\pcs
C:\Program Files\Common Files\Dpi

12. Please remove just the files from the following paths using Windows Explorer (if present):

c:\installer\id53.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\jawa32.exe
C:\WINDOWS\hir.exe
C:\WINDOWS\aqadcup.exe
C:\WINDOWS\System32\orrbhc.exe
C:\WINDOWS\System32\eyboardk.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\ffeagl.exe
C:\WINDOWS\System32\bridge91.exe
C:\WINDOWS\System32\QcfL.exe
C:\WINDOWS\System32\msencode.exe
C:\WINDOWS\System32\d3d8.exe
C:\WINDOWS\System32\196_150_ni.exe
C:\WINDOWS\System32\197_150_ni_4.exe
C:\WINDOWS\System32\198_150_ni_3.exe
C:\WINDOWS\system32\hzqzfv9.exe

Use start>Search to find these file(s):
windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.
edlgmgr.exe
dxmmbed.exe

13. Run the program CleanUp!

14. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

15. Please post the Active scan log, Ewido Log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#8
ginger911
Posted 22 December 2005 - 04:55 PM

ginger911

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
4. Go to Start->Run and type in services.msc and hit OK. Then look for BAD_SERVICE_GOES HERE and double click on it. Click on the Stop button and under Startup type, choose Disabled, then apply.


I didnt know what to do with this step. Which services am I looking for?
  • 0

#9
Excal
Posted 22 December 2005 - 07:04 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
yikes, I am really sorry about that :tazz:

.NET Framework Service (.NET Connection Service)
  • 0

#10
ginger911
Posted 22 December 2005 - 11:49 PM

ginger911

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
SIDENOTE: One thing I am noticing are ads about a winfixer registry program a lot now.
  • 0

Advertisements

#11
Excal
Posted 23 December 2005 - 12:01 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
when you all done, go ahead and post those logs :)

:tazz:

Excal
  • 0

#12
ginger911
Posted 23 December 2005 - 06:35 AM

ginger911

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
the other logs.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:17:22 PM, 12/22/2005
+ Report-Checksum: 502529FB

+ Scan result:

C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@linksynergy[1].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SQ3AK9JE\uninst[1].exe -> Downloader.VB.ge : Cleaned with backup
C:\WINDOWS\Temp\~499301.tmp -> Downloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~778905.tmp -> Downloader.WinTool : Error during cleaning
C:\WINDOWS\Temp\~892989.tmp -> Downloader.WinTool : Error during cleaning


::Report End



Incident Status Location

Adware:adware/delfinmedia Not disinfected C:\PROGRAM FILES\COMMON FILES\remove_tools.html
Spyware:spyware/whazit Not disinfected C:\WINDOWS\SYSTEM32\fiz1
Adware:adware/virtualbouncer Not disinfected C:\WINDOWS\SYSTEM32\INNERADINSTALL.LOG
Adware:adware/ist.istbar Not disinfected C:\WINDOWS\SYSTEM32\istinstall_154074.exe
Adware:adware/adlogix Not disinfected C:\WINDOWS\SYSTEM32\pacifisy.dll
Adware:adware/portalscan Not disinfected C:\WINDOWS\BUNDLES\32wu54rd.exe
Spyware:spyware/betterinet Not disinfected C:\WINDOWS\INF\biini.inf
Adware:adware/powerstrip Not disinfected C:\WINDOWS\jawa32.dat
Adware:adware/ncase Not disinfected C:\WINDOWS\msbbau.dat
Adware:adware/twain-tech Not disinfected C:\WINDOWS\satmat.ini
Adware:adware/sidesearch Not disinfected C:\PROGRAM FILES\Lycos
Adware:adware/tvmedia Not disinfected C:\WINDOWS\bundles
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Adware:Adware/DelFinMedia Not disinfected C:\Program Files\Common Files\remove_tools.html
Adware:Adware/Adtomi Not disinfected C:\Security Tools\hijackthis\backups\backup-20051220-215057-694.dll
Adware:Adware/Adtomi Not disinfected C:\Security Tools\hijackthis\backups\backup-20051222-232219-645.dll
Adware:Adware/VirtualBouncer Not disinfected C:\WINDOWS\bundles\BundleOuter2517040728.exe
Adware:Adware/MyDailyHoroscopeNot disinfected C:\WINDOWS\bundles\setup_silent_17125.exe
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\INF\biH.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\biini.inf
Adware:Adware/Transponder Not disinfected C:\WINDOWS\INF\polmx2.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\satmat.inf
Virus:Trj/Mirkaa.G Not disinfected C:\WINDOWS\mirka3b.exe
Virus:Trj/Mirkaa.H Not disinfected C:\WINDOWS\mirka3e.exe
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\satmat.ini
Adware:adware/savenow Not disinfected C:\WINDOWS\SYSTEM32\datastore.dll
Adware:Adware/PortalScan Not disinfected C:\WINDOWS\SYSTEM32\id119.exe
Adware:Adware/Adtomi Not disinfected C:\WINDOWS\SYSTEM32\ll0.dll
Virus:Trj/Mirkaa.G Not disinfected C:\WINDOWS\SYSTEM32\mirka3b.exe
Adware:Adware/AdLogix Not disinfected C:\WINDOWS\SYSTEM32\orrbhd.exe
Logfile of HijackThis v1.99.1
Scan saved at 6:35:17 AM, on 12/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Security Tools\ewido\ewido anti-malware\ewidoctrl.exe
C:\Security Tools\ewido\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Security Tools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll (file missing)
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\System32\cvss.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [msencode] C:\WINDOWS\System32\msencode.exe
O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\System32\d3d8.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINDOWS\System32\196_150_ni.exe
O4 - HKCU\..\Run: [197_150_ni_4] C:\WINDOWS\System32\197_150_ni_4.exe
O4 - HKCU\..\Run: [198_150_ni_3] C:\WINDOWS\System32\198_150_ni_3.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [YwtqRiK5V] edlgmgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {354A56A8-738A-4D48-817D-58F90B7EC0E6} - http://www.shawneelink.net/support/ (file missing) (HKCU)
O9 - Extra button: SLU - {48D8AF06-65C3-4ECF-82AD-DA1B4302BB08} - http://slu.shawneelink.net (file missing) (HKCU)
O9 - Extra button: User Area - {688D4C17-1B0A-4F2E-BEE5-177F0EE846F0} - http://www.shawneelink.net/users/ (file missing) (HKCU)
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.shawneelink.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103038930889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Security Tools\ewido\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Security Tools\ewido\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
  • 0

#13
Excal
Posted 23 December 2005 - 02:09 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
seems like something may be protecting the entries.

Right click on the Microsoft/Giant AntiSpyware icon (looks like a target) and click on Security Agents Status (Enabled) and click on Disable Real-time Protection. To re enable it after the fix, you follow the same steps but click on Enable Real-time Protection.

open Hijackthis and do a scan. Please check off the following items:

O4 - HKCU\..\Run: [d3d8] C:\WINDOWS\System32\d3d8.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINDOWS\System32\196_150_ni.exe
O4 - HKCU\..\Run: [197_150_ni_4] C:\WINDOWS\System32\197_150_ni_4.exe
O4 - HKCU\..\Run: [198_150_ni_3] C:\WINDOWS\System32\198_150_ni_3.exe
O4 - HKCU\..\Run: [YwtqRiK5V] edlgmgr.exe
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

click FIX CHECKED then close Hijackthis

Please remove the following folders using Windows Explorer (if present):

C:\PROGRAM FILES\Lycos
C:\WINDOWS\bundles
C:\WINDOWS\SYSTEM32\fiz1
C:\Program Files\Common Files\remove_tools.html



Please download the Killbox.

Please run Killbox.
  • Select "Delete on Reboot".
  • Copy the file names below to the clipboard by highlighting them and pressing Control-C:


    C:\WINDOWS\INF\biH.inf
    C:\WINDOWS\INF\biini.inf
    C:\WINDOWS\INF\polmx2.inf
    C:\WINDOWS\INF\satmat.inf
    C:\WINDOWS\mirka3b.exe
    C:\WINDOWS\msbbau.dat
    C:\WINDOWS\satmat.ini
    C:\WINDOWS\jawa32.dat
    C:\PROGRAM FILES\COMMON FILES\remove_tools.html
    C:\WINDOWS\svchost.exe
    C:\WINDOWS\System32\msencode.exe
    C:\WINDOWS\System32\d3d8.exe
    C:\WINDOWS\System32\edlgmgr.exe
    C:\WINDOWS\System32\196_150_ni.exe
    C:\WINDOWS\System32\197_150_ni_4.exe
    C:\WINDOWS\System32\198_150_ni_3.exe
    C:\WINDOWS\SYSTEM32\INNERADINSTALL.LOG
    C:\WINDOWS\SYSTEM32\istinstall_154074.exe
    C:\WINDOWS\SYSTEM32\pacifisy.dll
    C:\WINDOWS\SYSTEM32\datastore.dll
    C:\WINDOWS\SYSTEM32\id119.exe
    C:\WINDOWS\SYSTEM32\ll0.dll
    C:\WINDOWS\SYSTEM32\mirka3b.exe
    C:\WINDOWS\SYSTEM32\orrbhd.exe

  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
  • Let the system reboot.

After reboot, post me a fresh HiJackthis please :tazz:
  • 0

#14
ginger911
Posted 03 January 2006 - 10:49 PM

ginger911

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
hi, I hope you had a good christmas and a great new year!

Sorry its been a while, I got tied up in the festivities :tazz:

heres my next log.

Logfile of HijackThis v1.99.1
Scan saved at 10:43:54 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Security Tools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll (file missing)
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\System32\cvss.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [msencode] C:\WINDOWS\System32\msencode.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {354A56A8-738A-4D48-817D-58F90B7EC0E6} - http://www.shawneelink.net/support/ (file missing) (HKCU)
O9 - Extra button: SLU - {48D8AF06-65C3-4ECF-82AD-DA1B4302BB08} - http://slu.shawneelink.net (file missing) (HKCU)
O9 - Extra button: User Area - {688D4C17-1B0A-4F2E-BEE5-177F0EE846F0} - http://www.shawneelink.net/users/ (file missing) (HKCU)
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.shawneelink.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103038930889
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
  • 0

#15
Excal
Posted 04 January 2006 - 08:02 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
How are things running?



Excal
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP