Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need help for ridding spyware [CLOSED]

Started by Meowzer , Dec 23 2005 10:54 AM

  • This topic is locked This topic is locked

#1
Meowzer
Posted 23 December 2005 - 10:54 AM

Meowzer

    New Member

  • Member
  • Pip
  • 4 posts
Logfile of HijackThis v1.99.1
Scan saved at 11:53:21 AM, on 12/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\System32\nvctrl.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\sysmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\windows\alexa.exe
C:\WINDOWS\alt.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\program files\internet explorer\iexplore.exe
C:\program files\internet explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = google.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\System32\hpAFB8.tmp
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\sysmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [alexa] c:\windows\alexa.exe
O4 - HKCU\..\Run: [ClearCookies] C:\WINDOWS\cc.exe
O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O15 - Trusted Zone: www.skymasters.biz
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {20050325-D35A-4233-926E-2E801AE25949} (NMJPStarter15 Class) - http://www.netmarble...MStarterJP5.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co....cab?10,0,910,0
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://file.netmarbl...l/NMJTransX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll
O20 - Winlogon Notify: clbcatex - C:\WINDOWS\system32\clbcatix.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
O20 - Winlogon Notify: style32 - C:\WINDOWS\q46909656_disk.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
  • 0

Advertisements

#2
Trevuren
Posted 23 December 2005 - 11:20 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi Meowzer and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

We need to do a general overall cleanup of your system at this time

A.Download and Run a free trial version of an anti-trojan program called Trojan Hunter: HERE
  • Let it scan your whole system and remove anything it finds.
  • REBOOT your system.
B. Run Panda, a free online antivirus scan from HERE
  • Let it remove anything it finds.
  • REBOOT your system.
C. Download, install, update, configure, and run Ad-Aware SE Personal 1.06.
  • Download Ad-Aware SE Personal 1.06:
  • Install Ad-Aware SE Personal 1.06:
    • Double-click on aawsepersonal.exe to install the program.
    • Follow the default settings for installation.
    • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
  • Update Ad-Aware SE Personal 1.06:
    • Double-click the Ad-Aware SE Personal icon on your desktop.
    • Click "Check for updates now" then click "Connect".
    • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
  • Configure Ad-Aware SE Personal 1.06:
    • Click on the Gear button at the top of the window.
    • Click "General" on the left hand side to display the General Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Automatically save logfile"
        • "Automatically quarantine objects prior to removal"
        • "Safe Mode (always request confirmation)"
        • "Prompt to update outdated definitions" - change to 7 days from the default 14.
    • Click "Scanning" on the left hand side to display the Scan Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Scan within archives"
      • "Select drives & folders to scan" - select your hard drive(s).
      • "Scan active processes"
      • "Scan registry"
      • "Deep-scan registry"
      • "Scan my IE favorites for banned URLs"
      • "Scan my Hosts file"
    • Click "Advanced" on the left hand side to display the Advanced Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Move deleted files to Recycle Bin"
      • "Include additional object information"
      • "Include negligible objects information"
      • "Include environment information"
    • Click "Defaults" on the left hand side to display the Default Settings box.
      • Make sure these items have your preferred settings in them.:
      • "Default homepage"
      • "Default searchpage"
    • Click "Tweak" on the left hand side to display the Tweak Settings box.
      • Click the + (plus) sign next to the Log Files section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Include basic Ad-Aware settings in log file"
        • "Include additional Ad-Aware settings in log file"
        • "Include reference summary in log file"
        • "Include alternate data stream details in log file"
      • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Unload recognized processes & modules during scan"
        • "Scan registry for all users instead of current user only"
        • "Obtain command line of scanned processes"
      • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Always try to unload modules before deletion"
        • "During removal, unload Explorer and IE if necessary"
        • "Let Windows remove files in use at next reboot"
        • "Delete quarantined objects after restoring"
    • Once you are done with these settings, click "Proceed" to save them.
    • This will take you back to the main screen.
  • Run Ad-Aware SE Personal 1.06:
    • Click the "Start" button.
    • Uncheck the "Search for negligible risk entries" entry.
    • Choose the "Use custom scanning options" scan mode.
    • Click the "Next" button.
    • Ad-Aware will begin to scan for malware residing on your computer.
    • Allow the scan to finish.
    • Right-click on any entry in the list and click "Select All" to select the whole list.
    • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.
    • REBOOT your system.
D. Please follow the instructions provided, you may want to print out these instructions and use them as a reference.
  • Please download ewido security suite it is a trial version of the program.
    • Install ewido security suite
    • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    • Launch ewido, there should be an icon on your desktop double-click it.
    • The program will prompt you to update click the OK button
    • The program will now go to the main screen
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update
    • Click on Start
    • The update will start and a progress bar will show the updates being installed.
  • Once the updates are installed do the following:
    • REBOOT into Safe Mode
    • Run EWIDO
    • Click on scanner
    • Click on Start Scan
    • Let the program scan the machine
    • While the scan is in progress you will be prompted to clean files, click OK
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report
    • Save the report to your desktop
  • Reboot your machine

E. Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

The program with probably ask you to reboot. If it doesn't, then REBOOT your system yourself.

F. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review along with your Ewido log.

Regards,

Trevuren
  • 0

#3
Meowzer
Posted 23 December 2005 - 09:37 PM

Meowzer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thank for you helping me with my spyware problems. I have completed what you have asked and have the follow logs.



HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:35:49 PM, on 12/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvctrl.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\windows\alexa.exe
C:\WINDOWS\alt.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = google.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\System32\hp2287.tmp
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\sysmon.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [alexa] c:\windows\alexa.exe
O4 - HKCU\..\Run: [ClearCookies] C:\WINDOWS\cc.exe
O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O15 - Trusted Zone: www.skymasters.biz
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {20050325-D35A-4233-926E-2E801AE25949} (NMJPStarter15 Class) - http://www.netmarble...MStarterJP5.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co....cab?10,0,910,0
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://file.netmarbl...l/NMJTransX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll
O20 - Winlogon Notify: clbcatex - C:\WINDOWS\system32\clbcatix.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll (file missing)
O20 - Winlogon Notify: style32 - C:\WINDOWS\q46909656_disk.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe






Ewido Log:


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:04:14 PM, 12/23/2005
+ Report-Checksum: DF511B11

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{724510C3-F3C8-4FB7-879A-D99F29008A2F} -> Hijacker.SpyAxe : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\{724510c3-f3c8-4fb7-879a-d99f29008a2f} -> Hijacker.SpyAxe : Cleaned with backup
[1228] C:\WINDOWS\prflbmsgp32.dll -> Downloader.Delf.vt : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.143:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.203:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.204:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.205:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.198:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.199:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.200:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s415wri1.default\cookiesnew.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Error during cleaning
C:\Downloads\RAG_SETUP0615(1).EXE -> Backdoor.Ifinst : Cleaned with backup
C:\Downloads\RAG_SETUP0615.EXE.jc! -> Backdoor.Ifinst : Cleaned with backup
C:\Downloads\SAK_SETUP0621.EXE -> Backdoor.Ifinst : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\386CFFA8-6ABA-43C2-B28C-6856FB\F9E4EB00-0723-4F35-876F-676596 -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4598914A-657B-4463-8702-069BF3\534D7804-BE43-44B7-A790-972191 -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Program Files\SearchRelevant\SearchRelevant.dll -> Spyware.Relevance : Cleaned with backup
C:\RECYCLER\S-1-5-21-1595514904-3354657971-3400817568-1003\Dc20.exe.tcf -> Not-A-Virus.Hoax.Win32.Renos.ad : Cleaned with backup
C:\WINDOWS\adsldpbf.dll -> Downloader.Delf.lh : Cleaned with backup
C:\WINDOWS\alt.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\WINDOWS\ExeDialer.exe.tcf -> Trojan.P2E.br : Cleaned with backup
C:\WINDOWS\g10857781.dll.tcf -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\g10865890.dll.tcf -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\g3659562.dll.tcf -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\g3661515.dll.tcf -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\g7256921.dll.tcf -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\g7276484.dll.tcf -> Downloader.Delf.zu : Cleaned with backup
C:\WINDOWS\hpcaahkr.exe -> Downloader.IstBar.gl : Cleaned with backup
C:\WINDOWS\IFinst25.exe -> Backdoor.Ifinst : Cleaned with backup
C:\WINDOWS\mpatrol.dll -> Downloader.Delf.vt : Cleaned with backup
C:\WINDOWS\netdde.dll -> Downloader.Delf.yc : Cleaned with backup
C:\WINDOWS\prflbmsgp32.dll -> Downloader.Delf.vt : Cleaned with backup
C:\WINDOWS\services.exe.tcf -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\1024\ldF28F.tmp -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\checkIn.dll -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\hpBB8F.tmp -> Downloader.Zlob.dj : Cleaned with backup
C:\WINDOWS\system32\ldB863.tmp -> Downloader.Zlob.br : Cleaned with backup
C:\WINDOWS\system32\mssearchnet.exe -> Downloader.Zlob.dd : Cleaned with backup
C:\WINDOWS\system32\nvctrl.exe -> Downloader.Zlob.dj : Cleaned with backup
C:\WINDOWS\system32\sysfind.exe.tcf -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\sysmon.exe.tcf -> Downloader.Small.bsu : Cleaned with backup
C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\wtvh.dll.tcf -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\wt\wtvh.dll.tcf -> Spyware.WildTangent : Cleaned with backup


::Report End
  • 0

#4
Trevuren
Posted 23 December 2005 - 10:00 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Download the following self-extracting file smitRem.exe and save the file to your DESKTOP.
  • Double click the Smitrem.exe icon on your Desktop.
  • Then click Run>Start and a Smitrem folder will apear on your desktop also.



2. Place a shortcut to Panda ActiveScan on your desktop.


3. Ewido
  • Update the definitions to the newest files.
  • DO NOT RUN IT YET

4. Install Ad-Aware SE 1.06, follow these download and setup instructions.
5. REBOOT your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

6. Now open HJT, click SCAN and place a checkmark next to each of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\System32\hp2287.tmp
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\System32\sysmon.exe
O4 - HKCU\..\Run: [ClearCookies] C:\WINDOWS\cc.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O15 - Trusted Zone: www.skymasters.biz
O16 - DPF: {20050325-D35A-4233-926E-2E801AE25949} (NMJPStarter15 Class) - http://www.netmarble...MStarterJP5.cab
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://file.netmarbl...l/NMJTransX.cab
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll
O20 - Winlogon Notify: clbcatex - C:\WINDOWS\system32\clbcatix.dll (file missing)
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll (file missing)
O20 - Winlogon Notify: style32 - C:\WINDOWS\q46909656_disk.dll (file missing)




7. Click the Fix Checked box and EXIT HJT


8. Using Windows Explorer, please locate and DELETE the following files/folders (with all their content), if they are still present:

C:\WINDOWS\System32\nvctrl.exe
C:\WINDOWS\alt.exe
ALCXMNTR.EXE<==You will have to search for this one
C:\WINDOWS\System32\sysmon.exe
C:\WINDOWS\cc.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\WINDOWS\system32\browsela.dll


9. Open the smitRem folder
  • Double click the RunThis.bat file to start the tool.
  • Follow the prompts on screen.
  • Wait for the tool to complete and disk cleanup to finish.
  • NOTE:The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
  • Please post that log along with all others requested in your next reply.

10. Open Ad-aware and do a full scan. Let ir remove all it finds.


11. Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
  • Close Ewido

12. Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.


13. REBOOT back into Normal Mode


14. Click the Panda ActiveScan shortcut
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button
  • then Save Report and save it to your Desktop.

15. Save the scan log and post it along with a new HijackThis Log, the contents of the Smitfiles.txt log and the Ewido Log by using Add Reply.

Let me know if any problems persist.

Regards,

Trevuren
  • 0

#5
Meowzer
Posted 24 December 2005 - 04:57 PM

Meowzer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:54:30 PM, on 12/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\windows\alexa.exe
C:\WINDOWS\alt.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = google.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [alexa] c:\windows\alexa.exe
O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\clbcatix.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co....cab?10,0,910,0
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe



Smitfiles log:


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 12/24/2005
The current time is: 11:59:50.73

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Install.dat


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir
msvol.tlb
ld****.tmp
mssearchnet.exe
ncompat.tlb
mscornet.exe
wp.bmp


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1396 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :tazz:



Ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:58:04 PM, 12/24/2005
+ Report-Checksum: DB54030F

+ Scan result:

C:\Documents and Settings\Owner\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Error during cleaning
C:\WINDOWS\__delete_on_reboot__mpatrol.dll -> Downloader.Delf.vt : Cleaned with backup
C:\WINDOWS\__delete_on_reboot__prflbmsgp32.dll -> Downloader.Delf.vt : Cleaned with backup


::Report End


Panda Scan log:


Incident Status Location

Adware:Adware/IST.ISTBar Not desinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-2bf3906b.zip[InstallerApplet.class]
Dialer:dialer.cos Not desinfected C:\Documents and Settings\Owner\Favorites\exsplorer.lnk
Adware:Adware/IST.ISTBar Not desinfected C:\Program Files\Daily Weather Forecast\weather.exe
Adware:Adware/Alexa-Toolbar Not desinfected C:\WINDOWS\alex6.exe
Adware:Adware/Alexa-Toolbar Not desinfected C:\WINDOWS\alexa.exe
Adware:Adware/Miamore Not desinfected C:\WINDOWS\cpblpbc3.log
Spyware:Spyware/BetterInet Not desinfected C:\WINDOWS\inf\satmat.inf
Adware:Adware/IPInsight Not desinfected C:\WINDOWS\satmat.ini
  • 0

#6
Trevuren
Posted 24 December 2005 - 07:26 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
A. Please disable WinPatrol by right clicking the running icon of winpatrol, and choosing exit.

B. Please disable Ewidoguard

C. A. Please download the Killbox by Option^Explicit.

Note:In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.

B. Please RUN HijackThis.
  • . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R3 - Default URLSearchHook is missing
    O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe
    O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll

  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.


C. Please double-click Killbox.exe to run it.
  • Select
    • "Delete on Reboot
    • Then, click on the "All Files" button"
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

    C:\WINDOWS\alt.exe
    C:\WINDOWS\system32\browsela.dll
    C:\Documents and Settings\Owner\Local Settings\Application Data\Wildtangent
    C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-2bf3906b.zip
    C:\Documents and Settings\Owner\Favorites\exsplorer.lnk
    C:\Program Files\Daily Weather Forecast\weather.exe
    C:\WINDOWS\alex6.exe
    C:\WINDOWS\alexa.exe
    C:\WINDOWS\inf\satmat.inf
    C:\WINDOWS\satmat.ini

  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.


D. Run HJT, click SCAN, produce a log and copy/paste the log into your reply.

Regards,

Trevuren
  • 0

#7
Meowzer
Posted 24 December 2005 - 08:25 PM

Meowzer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
When I tried to open HijackThis.exe I recieved an error that states "This application has failed to start because MSBVM60.DLL was not found. Re-installing the application may fix this problem." HijackThis.exe was functioning perfectly before and I don't not know why it won't work now.

Edited by Meowzer, 24 December 2005 - 08:25 PM.

  • 0

#8
Trevuren
Posted 24 December 2005 - 09:12 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Have you tried deleting your current copy of HJT, downloading, installing and runnnig a fresh copy of the program. This may resolve the problem. If not, please get back to me.

Regards,

Trevuren
  • 0

#9
Trevuren
Posted 05 January 2006 - 07:32 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP