Solved: desperate act - spyware problem - help!!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

athena.c

Thread Starter
Joined
Dec 30, 2005
Messages
9
hi,

i have rare experience in spyware problems, so i´m really happy about any comment!

i´ve tried norton internet security, adaware and spybot but i´ve got still that problem!

here is my logfile

Logfile of HijackThis v1.99.1
Scan saved at 16:05:53, on 30.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
C:\Programme\Apoint\Apoint.exe
C:\Programme\SigmaTel\C-Major Audio\stacmon.exe
C:\WINDOWS\system32\ICO.EXE
C:\Programme\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Programme\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Sony\HotKey Utility\HKWnd.exe
C:\Programme\Apoint\Apntex.exe
C:\DOKUME~1\GEORGI~1\LOKALE~1\Temp\EE.tmp.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programme\powerpanel\Program\PcfMgr.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\WINDOWS\netic32.exe
C:\WINDOWS\system32\addlv.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Georgios K\Desktop\antivirus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rcnee.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rcnee.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rcnee.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rcnee.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rcnee.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rcnee.dll/sp.html#53142%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rcnee.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.de.netscape.com/keyword/%s
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {10EDACBE-902A-F6FD-A7D9-7D96FA804409} - C:\WINDOWS\ipid.dll (file missing)
O2 - BHO: Class - {33894CDF-39DC-A5B5-7657-E16A8CBB005D} - C:\WINDOWS\appea.dll (file missing)
O2 - BHO: Class - {39B55E7F-513F-C3C3-44BF-B0378C8CBFEF} - C:\WINDOWS\system32\netys32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {6629429C-E7B6-4065-1021-EBCF6EE8F72B} - C:\WINDOWS\system32\javahi.dll (file missing)
O2 - BHO: Class - {6C4EB55C-5151-DA83-39AB-64E124FC992E} - C:\WINDOWS\system32\crjx32.dll (file missing)
O2 - BHO: Class - {7394CC45-E29E-AC0B-19B4-FA1B376B3209} - C:\WINDOWS\mfcls.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Class - {B61BACAE-2CB6-EF24-C53E-8CA0B2907B91} - C:\WINDOWS\sysow.dll
O2 - BHO: Class - {B796386A-3A52-4CE4-BD8A-3662ABFFA8E6} - C:\WINDOWS\mfcup.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {DF8DC720-C801-B797-0314-C957735C5F60} - C:\WINDOWS\system32\atlxg.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Programme\SigmaTel\C-Major Audio\stacmon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Programme\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Opware12] "C:\Programme\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programme\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NAVNet] "C:\Dokumente und Einstellungen\Georgios K\Startmenü\Programme\Autostart\ms.exe" /m
O4 - HKLM\..\Run: [EE.tmp] C:\DOKUME~1\GEORGI~1\LOKALE~1\Temp\EE.tmp.exe
O4 - HKLM\..\Run: [EF.tmp] C:\DOKUME~1\GEORGI~1\LOKALE~1\Temp\EF.tmp.exe
O4 - HKLM\..\Run: [EE.tmp.exe] C:\DOKUME~1\GEORGI~1\LOKALE~1\Temp\EE.tmp.exe
O4 - HKLM\..\Run: [EF.tmp.exe] C:\DOKUME~1\GEORGI~1\LOKALE~1\Temp\EF.tmp.exe
O4 - HKLM\..\Run: [addlv.exe] C:\WINDOWS\system32\addlv.exe
O4 - HKLM\..\Run: [38.tmp] C:\DOKUME~1\GEORGI~1\LOKALE~1\Temp\38.tmp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ms.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C646B452-E7B1-4322-8A24-FBDFE9114557}: NameServer = 195.244.244.11,195.244.235.10
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\netic32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe

thanks for any help and your time
 

JSntgRvr

José
Retired Moderator and Malware Specialist
Joined
Jul 1, 2003
Messages
18,552
Right click http://mvps.org/winhelp2002/DelDomains.inf and select Save As, or Save Target as, to download WinHelp2002's DelDomains.inf.

Please save the file somewhere you can find it like on the desktop.
Run the inf file by right clicking on it and select Install.


Download CW-Shredder at the the link below and but do not run it yet:

http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe

Download the following file to a folder in the computer:

http://www.derbilk.de/cms/_data/SpSeHjfix112.zip

Click a blank part of desktop & select new folder, call it spfix unzip the downloaded file SpSeHjfix112.zip into that folder

Disconnect from the Internet and Close ALL OPEN PROGRAMS.

Click on the 'Spfix' icon and run the 'SpSeHjfix'. Click on "Start Disinfection".

When it's finished it will reboot your machine to finish the cleaning process.

The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

Now run the Shredder - Hit The FIX button!

Perform an ActiveSCan:

http://www.pandasoftware.com/activescan/

Save the report to the desktop.

Post a new HijackThis log and the results of the ActiveScan reports. Also post the log that was created by 'Spfix'.
 

athena.c

Thread Starter
Joined
Dec 30, 2005
Messages
9
thanks a lot for your instructions, i´m still running ActiveSCan!
'Spfix' didn´t find anything!
i´ll post the new logs in a few minutes
thanks again
 

athena.c

Thread Starter
Joined
Dec 30, 2005
Messages
9
here are the log files:

---------------------------------------------------
activescan:


Incident Status Location

Dialer:Dialer.DNA Not desinfected C:\DOKUME~1\GEORGI~1\LOKALE~1\TEMP\EF.TMP.EXE
Spyware:spyware/petro-line Not desinfected C:\Dokumente und Einstellungen\Georgios K\Favoriten\SITES ABOUT\Ab scissor.url
Adware:adware/searchaid Not desinfected C:\Dokumente und Einstellungen\Georgios K\Favoriten\Only sex website.url
Adware:adware/cws Not desinfected C:\Dokumente und Einstellungen\Georgios K\Favoriten\SHOP
Adware:adware/cws.aboutblank Not desinfected Windows Registry
Adware:Adware/SearchAid Not desinfected C:\Dokumente und Einstellungen\Georgios K\Lokale Einstellungen\Temp\3.tmp.exe
Adware:Adware/SearchAid Not desinfected C:\Dokumente und Einstellungen\Georgios K\Lokale Einstellungen\Temp\32.tmp.exe
Adware:Adware/SearchAid Not desinfected C:\Dokumente und Einstellungen\Georgios K\Lokale Einstellungen\Temp\33.tmp.exe
Adware:Adware/SearchAid Not desinfected C:\Dokumente und Einstellungen\Georgios K\Lokale Einstellungen\Temp\36.tmp.exe
Adware:Adware/SearchAid Not desinfected C:\Dokumente und Einstellungen\Georgios K\Lokale Einstellungen\Temp\4.tmp.exe
Adware:Adware/SearchAid Not desinfected C:\Dokumente und Einstellungen\Georgios K\Lokale Einstellungen\Temp\6.tmp.exe
Adware:Adware/SearchAid Not desinfected C:\Dokumente und Einstellungen\Georgios K\Lokale Einstellungen\Temp\7.tmp.exe
Adware:Adware/SearchAid Not desinfected C:\Dokumente und Einstellungen\Georgios K\Lokale Einstellungen\Temp\8.tmp.exe
Adware:Adware/SearchAid Not desinfected C:\Dokumente und Einstellungen\Georgios K\Lokale Einstellungen\Temp\9.tmp.exe
Adware:Adware/SearchAid Not desinfected C:\Dokumente und Einstellungen\Georgios K\Lokale Einstellungen\Temp\E8.tmp.exe
Adware:Adware/SpyFighter Not desinfected C:\Dokumente und Einstellungen\Georgios K\Lokale Einstellungen\Temp\EE.tmp
Dialer:Dialer.DNA Not desinfected C:\Dokumente und Einstellungen\Georgios K\Lokale Einstellungen\Temp\EF.tmp
Dialer:Dialer.DNA Not desinfected C:\Dokumente und Einstellungen\Georgios K\Lokale Einstellungen\Temp\EF.tmp.exe
Adware:Adware/SearchAid Not desinfected C:\Dokumente und Einstellungen\Georgios K\Lokale Einstellungen\Temp\F2.tmp.exe
---------------------------------------

hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 18:21:29, on 30.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
C:\Programme\SigmaTel\C-Major Audio\stacmon.exe
C:\WINDOWS\system32\ICO.EXE
C:\Programme\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programme\powerpanel\Program\PcfMgr.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\Programme\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\adddb32.exe
C:\WINDOWS\addba32.exe
C:\DOKUME~1\GEORGI~1\LOKALE~1\Temp\D.tmp
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Dokumente und Einstellungen\Georgios K\Desktop\antivirus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\sjqdp.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\sjqdp.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\sjqdp.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\sjqdp.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\sjqdp.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\sjqdp.dll/sp.html#53142%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\sjqdp.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.de.netscape.com/keyword/%s
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0D9B1E93-1713-1ADE-50CD-A0E5C4411A74} - C:\WINDOWS\system32\atlrw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Class - {B796386A-3A52-4CE4-BD8A-3662ABFFA8E6} - C:\WINDOWS\mfcup.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Programme\SigmaTel\C-Major Audio\stacmon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Programme\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programme\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NAVNet] "C:\Dokumente und Einstellungen\Georgios K\Startmenü\Programme\Autostart\ms.exe" /m
O4 - HKLM\..\Run: [EF.tmp] C:\DOKUME~1\GEORGI~1\LOKALE~1\Temp\EF.tmp.exe
O4 - HKLM\..\Run: [EF.tmp.exe] C:\DOKUME~1\GEORGI~1\LOKALE~1\Temp\EF.tmp.exe
O4 - HKLM\..\Run: [38.tmp] C:\DOKUME~1\GEORGI~1\LOKALE~1\Temp\38.tmp.exe
O4 - HKLM\..\Run: [38.tmp.exe] C:\DOKUME~1\GEORGI~1\LOKALE~1\Temp\38.tmp.exe
O4 - HKLM\..\Run: [addba32.exe] C:\WINDOWS\addba32.exe
O4 - HKLM\..\Run: [D.tmp] C:\DOKUME~1\GEORGI~1\LOKALE~1\Temp\D.tmp.exe
O4 - HKLM\..\Run: [E.tmp] C:\DOKUME~1\GEORGI~1\LOKALE~1\Temp\E.tmp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ms.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C646B452-E7B1-4322-8A24-FBDFE9114557}: NameServer = 195.244.244.11,195.244.235.10
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\adddb32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe

waiting for suggestions

thanks
 

JSntgRvr

José
Retired Moderator and Malware Specialist
Joined
Jul 1, 2003
Messages
18,552
Download Cleanup from Here:

http://www.stevengould.org/downloads/cleanup/CleanUp40.exe


* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
* Click OK
* DO NOT RUN IT YET


Download Killbox from any of the sites below, and have it ready to run later-on:

http://www.downloads.subratam.org/KillBox.exe

http://www.downloads.subratam.org/KillBox.zip



Click Start > Run > and type in:

services.msc

Click OK.

In the services window find:

Workstation NetLogon Service

Right click and choose "Properties".
On the "General" tab under "Service Status" click the "Stop" button to stop the service.

Beside "Startup Type" in the dropdown menu select "Disabled".

Click Apply then OK.

Exit the Services utility.

Run Hijackthis. Place a checkmark on the following lines and click on

Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\system32\sjqdp.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\system32\sjqdp.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= res://C:\WINDOWS\system32\sjqdp.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\system32\sjqdp.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\system32\sjqdp.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= res://C:\WINDOWS\system32\sjqdp.dll/sp.html#53142%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= res://C:\WINDOWS\system32\sjqdp.dll/sp.html#53142%resultposition.net
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0D9B1E93-1713-1ADE-50CD-A0E5C4411A74} -
C:\WINDOWS\system32\atlrw.dll
O2 - BHO: Class - {B796386A-3A52-4CE4-BD8A-3662ABFFA8E6} -
C:\WINDOWS\mfcup.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched]
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NAVNet] "C:\Dokumente und Einstellungen\Georgios
K\Startmenü\Programme\Autostart\ms.exe" /m
O4 - HKLM\..\Run: [EF.tmp]
C:\DOKUME~1\GEORGI~1\LOKALE~1\Temp\EF.tmp.exe
O4 - HKLM\..\Run: [EF.tmp.exe]
C:\DOKUME~1\GEORGI~1\LOKALE~1\Temp\EF.tmp.exe
O4 - HKLM\..\Run: [38.tmp]
C:\DOKUME~1\GEORGI~1\LOKALE~1\Temp\38.tmp.exe
O4 - HKLM\..\Run: [38.tmp.exe]
C:\DOKUME~1\GEORGI~1\LOKALE~1\Temp\38.tmp.exe
O4 - HKLM\..\Run: [addba32.exe] C:\WINDOWS\addba32.exe
O4 - HKLM\..\Run: [D.tmp] C:\DOKUME~1\GEORGI~1\LOKALE~1\Temp\D.tmp.exe
O4 - HKLM\..\Run: [E.tmp] C:\DOKUME~1\GEORGI~1\LOKALE~1\Temp\E.tmp.exe
O4 - Startup: ms.exe
O4 - Global Startup: PowerPanel.lnk = ?

Boot the computer in Safe Mode

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click no...and proceed with the next file. Once you get to the last one click YES and it will reboot.

Locations:

C:\Dokumente und Einstellungen\Georgios K\Favoriten\SITES ABOUT\Ab scissor.url

C:\Dokumente und Einstellungen\Georgios K\Favoriten\Only sex website.url

C:\Dokumente und Einstellungen\Georgios K\Favoriten\SHO

C:\WINDOWS\addba32.exe

C:\Dokumente und Einstellungen\Georgios K\Startmenü\Programme\Autostart\ms.exe

C:\WINDOWS\system32\atlrw.dll

C:\WINDOWS\system32\sjqdp.dll


* Run Cleanup:

* Click on the "Cleanup" button and let it run.
* Once its done, close the program.
*Restart the computer

Post a fresh Hijackthis log
 

athena.c

Thread Starter
Joined
Dec 30, 2005
Messages
9
hi JSntgRvr,

best wishes for a happy new year!

here is the new Hijackthis log :confused:

Logfile of HijackThis v1.99.1
Scan saved at 13:27:42, on 02.01.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\adddb32.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
C:\Programme\SigmaTel\C-Major Audio\stacmon.exe
C:\WINDOWS\system32\ICO.EXE
C:\Programme\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\netgj32.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Dokumente und Einstellungen\Georgios K\Desktop\antivirus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vczlb.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vczlb.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vczlb.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vczlb.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vczlb.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vczlb.dll/sp.html#53142%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vczlb.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.de.netscape.com/keyword/%s
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {156B287A-E2A6-F730-904D-15B4B7E35F4C} - C:\WINDOWS\system32\ipvd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {597C394D-7209-3F39-761D-930B4E37CB86} - C:\WINDOWS\apivp32.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Programme\SigmaTel\C-Major Audio\stacmon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Programme\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programme\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [netgj32.exe] C:\WINDOWS\netgj32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C646B452-E7B1-4322-8A24-FBDFE9114557}: NameServer = 195.244.244.11,195.244.235.10
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\adddb32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
 

JSntgRvr

José
Retired Moderator and Malware Specialist
Joined
Jul 1, 2003
Messages
18,552
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find:

Workstation NetLogon Service

Right click on it and choose "Properties".
On the "General" tab under "Service Status" click the "Stop" button to stop the service.

Beside "Startup Type" in the dropdown menu select "Disabled".

Click Apply then OK.

Exit the Services utility.


Run Hijackthis. Place a checkmark on the following lines and click on
Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vczlb.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vczlb.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vczlb.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vczlb.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vczlb.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vczlb.dll/sp.html#53142%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vczlb.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.de.netscape.com/keyword/%s
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {156B287A-E2A6-F730-904D-15B4B7E35F4C} - C:\WINDOWS\system32\ipvd.dll
O2 - BHO: Class - {597C394D-7209-3F39-761D-930B4E37CB86} - C:\WINDOWS\apivp32.dll
O4 - HKLM\..\Run: [netgj32.exe] C:\WINDOWS\netgj32.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\adddb32.exe

Boot the computer in Safe Mode

Perform the following in Safe Mode:

Run the CW-Shredder again.

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click no...and proceed with the next file. Once you get to the last one click YES and it will reboot.

Locations:

C:\WINDOWS\system32\ipvd.dll
C:\WINDOWS\system32\vczlb.dll
C:\WINDOWS\apivp32.dll
C:\WINDOWS\system32\adddb32.exe
C:\WINDOWS\netgj32.exe

Rescan with Hijackthis. Post a fresh log.
 

athena.c

Thread Starter
Joined
Dec 30, 2005
Messages
9
Logfile of HijackThis v1.99.1
Scan saved at 14:37:19, on 02.01.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
C:\Programme\SigmaTel\C-Major Audio\stacmon.exe
C:\WINDOWS\system32\ICO.EXE
C:\Programme\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\Programme\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\addly.exe
C:\WINDOWS\netwu32.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Georgios K\Desktop\antivirus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qraus.dll/sp.html#53142%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qraus.dll/sp.html#53142%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qraus.dll/sp.html#53142%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qraus.dll/sp.html#53142%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qraus.dll/sp.html#53142%
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qraus.dll/sp.html#53142%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qraus.dll/sp.html#53142%
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {1D11A0C0-63DD-AAE5-2CCD-0CD1E7F1A0C3} - C:\WINDOWS\system32\winvp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Programme\SigmaTel\C-Major Audio\stacmon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Programme\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programme\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [netwu32.exe] C:\WINDOWS\netwu32.exe
O4 - HKLM\..\RunOnce: [addly.exe] C:\WINDOWS\system32\addly.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C646B452-E7B1-4322-8A24-FBDFE9114557}: NameServer = 195.244.244.11,195.244.235.10
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\adddb32.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
 

athena.c

Thread Starter
Joined
Dec 30, 2005
Messages
9
when i scan with Hijackthis before openning the Internet Explorer, the first log entries

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qraus.dll/sp.html#53142%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qraus.dll/sp.html#53142%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\qraus.dll/sp.html#53142%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\qraus.dll/sp.html#53142%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\qraus.dll/sp.html#53142%
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qraus.dll/sp.html#53142%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\qraus.dll/sp.html#53142%
R3 - Default URLSearchHook is missing

do not exist. every time i open the IE there is that about:blank page with links to porn, pharmacie ...

in the meantime there is also a problem with Norton; it does not scan anymore

maybe it helps
 

JSntgRvr

José
Retired Moderator and Malware Specialist
Joined
Jul 1, 2003
Messages
18,552
Seems that the trojan is mutating. Before we go deeper into the computer's processes, dowload and run Spysweepr:

Please download WebRoot SpySweeper (It's a 2 week trial):

http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129

Click the Free Trial link under "Downloads/SpySweeper" to download the program.

Install it. Once the program is installed, it will open.

It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.

Under What to Sweep please put a check next to the following:

* Sweep Memory
* Sweep Registry
* Sweep Cookies
* Sweep All User Accounts
* Enable Direct Disk Sweeping
* Sweep Contents of Compressed Files
* Sweep for Rootkits

Please UNCHECK Do not Sweep System Restore Folder.

Click Sweep Now on the left side.

Click the Start button.

When it's done scanning, click the Next button.

Make sure everything has a check next to it, then click the Next button.

It will remove all of the items found.

Click Session Log in the upper right corner, copy everything in that window.

Click the Summary tab and click Finish.

Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
 

athena.c

Thread Starter
Joined
Dec 30, 2005
Messages
9
hi JSntgRvr,

that tool worked wonders!!

But first i´ve downloaded the new updates for windows and IE.
after that with some help from AntiVir and a friend of mine, i could detect but not destroy the worm and the trojans!

spy sweeper was the guillotine!!:D

here are the two log files of spy sweeper (first without update, second with the newest log files):

--------------------------------------
********
12:40: | Start of Session, Dienstag, 3. Januar 2006 |
12:40: Spy Sweeper started
12:40: Sweep initiated using definitions version 556
12:40: Starting Memory Sweep
12:41: Found Adware: cws_ns3
12:41: Detected running threat: C:\WINDOWS\appgt.exe (ID = 8)
12:41: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || appgt.exe (ID = 0)
12:42: Detected running threat: C:\WINDOWS\system32\javauo.exe (ID = 8)
12:42: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce || javauo.exe (ID = 0)
12:42: Memory Sweep Complete, Elapsed Time: 00:01:25
12:42: Starting Registry Sweep
12:42: HKCR\clsid\{4aeda6fc-6816-f03c-12f8-cde056451f16}\ (10 subtraces) (ID = 117830)
12:42: HKCR\clsid\{85f1c7fc-7359-d6d5-c42b-f3e410db4cad}\ (4 subtraces) (ID = 118285)
12:42: HKCR\clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}\ (ID = 118649)
12:42: HKCR\clsid\{b1169abc-e367-2937-9f96-3b9cb54e0f31}\ (4 subtraces) (ID = 118884)
12:42: HKLM\software\classes\clsid\{4aeda6fc-6816-f03c-12f8-cde056451f16}\ (10 subtraces) (ID = 119704)
12:42: HKLM\software\classes\clsid\{85f1c7fc-7359-d6d5-c42b-f3e410db4cad}\ (4 subtraces) (ID = 120141)
12:42: HKLM\software\classes\clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}\ (ID = 120496)
12:42: HKLM\software\classes\clsid\{b1169abc-e367-2937-9f96-3b9cb54e0f31}\ (4 subtraces) (ID = 120722)
12:42: HKLM\software\microsoft\windows\currentversion\uninstall\hsa\ (2 subtraces) (ID = 123379)
12:42: HKLM\software\microsoft\windows\currentversion\uninstall\se\ (2 subtraces) (ID = 123380)
12:42: HKLM\software\microsoft\windows\currentversion\uninstall\sw\ (2 subtraces) (ID = 123381)
12:42: Registry Sweep Complete, Elapsed Time:00:00:11
12:42: Starting Cookie Sweep
12:42: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:42: Starting File Sweep
12:44: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023570.exe". Zugriff verweigert
12:45: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023522.exe". Zugriff verweigert
12:45: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023521.exe". Zugriff verweigert
12:46: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023523.exe". Zugriff verweigert
12:46: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023524.exe". Zugriff verweigert
12:46: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023526.exe". Zugriff verweigert
12:46: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023553.exe". Zugriff verweigert
12:47: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023529.exe". Zugriff verweigert
12:47: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023525.exe". Zugriff verweigert
12:48: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023527.exe". Zugriff verweigert
12:48: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023528.exe". Zugriff verweigert
12:48: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023530.exe". Zugriff verweigert
12:48: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023532.exe". Zugriff verweigert
12:48: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023533.exe". Zugriff verweigert
12:48: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023534.exe". Zugriff verweigert
12:49: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023535.exe". Zugriff verweigert
12:49: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp261\a0023181.exe". Zugriff verweigert
12:50: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023572.exe". Zugriff verweigert
12:55: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023531.dll". Zugriff verweigert
12:55: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023552.dll". Zugriff verweigert
12:56: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023564.dll". Zugriff verweigert
12:57: Found Adware: security iguard
12:57: chmhelp.chm (ID = 75238)
12:58: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023571.dll". Zugriff verweigert
13:03: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023537.exe". Zugriff verweigert
13:04: Found Adware: coolwebsearch (cws)
13:04: online instant loan.url (ID = 130685)
13:04: search the web.url (ID = 54454)
13:04: seven days of free porn.url (ID = 54472)
13:04: credit counseling.url (ID = 130668)
13:04: insurance home.url (ID = 130676)
13:04: mortgage life insurance.url (ID = 130681)
13:04: help desk software.url (ID = 130675)
13:04: videos.url (ID = 130694)
13:04: what is hydrocodone.url (ID = 130695)
13:04: online gambling casino.url (ID = 130684)
13:04: refinancing my mortgage.url (ID = 130691)
13:04: debt credit card.url (ID = 130671)
13:04: fha.url (ID = 130673)
13:04: loan for debt consolidation.url (ID = 130677)
13:04: health insurance.url (ID = 130674)
13:04: personal loans online.url (ID = 130688)
13:04: payroll advance.url (ID = 130687)
13:04: marketing email.url (ID = 130679)
13:04: prescription drugs rx online.url (ID = 130690)
13:04: credit report.url (ID = 130669)
13:04: tahoe vacation rental.url (ID = 130692)
13:04: escorts.url (ID = 130672)
13:04: order phentermine.url (ID = 130686)
13:04: mortgage insurance.url (ID = 130680)
13:04: personal loans with bad credit.url (ID = 130689)
13:04: crm software.url (ID = 130670)
13:04: nevada corporations.url (ID = 130682)
13:04: unsecured bad credit loans.url (ID = 130693)
13:04: loan for people with bad credit.url (ID = 130678)
13:04: broadband comparison.url (ID = 130667)
13:04: online betting site.url (ID = 130683)
13:04: ab scissor.url (ID = 130666)
13:04: only sex website.url (ID = 54373)
13:04: Found System Monitor: potentially rootkit-masked files
13:04: tubesandaccuro.jpg (ID = 0)
13:04: oilrig.gif (ID = 0)
13:04: oilrig.gif (ID = 0)
13:04: afcback.gif (ID = 0)
13:04: afclogo.gif (ID = 0)
13:04: greygradient.gif (ID = 0)
13:04: training.gif (ID = 0)
13:04: links.gif (ID = 0)
13:04: gradient.gif (ID = 0)
13:04: gasnewarrow.gif (ID = 0)
13:04: gasgasarrow.gif (ID = 0)
13:04: gasisoarrow.gif (ID = 0)
13:04: gasairarrow.gif (ID = 0)
13:04: gasotherarrow.gif (ID = 0)
13:04: gasresparrow.gif (ID = 0)
13:04: gaswaterarrow.gif (ID = 0)
13:04: afclogo.gif (ID = 0)
13:04: greygradient.gif (ID = 0)
13:04: training.gif (ID = 0)
13:04: links.gif (ID = 0)
13:04: gradient.gif (ID = 0)
13:04: gasnewarrow.gif (ID = 0)
13:04: gasgasarrow.gif (ID = 0)
13:04: gasisoarrow.gif (ID = 0)
13:04: gasairarrow.gif (ID = 0)
13:04: wmd.gif (ID = 0)
13:04: gasotherarrow.gif (ID = 0)
13:04: gasresparrow.gif (ID = 0)
13:04: gaswaterarrow.gif (ID = 0)
13:04: afcback.gif (ID = 0)
13:04: difftube.jpg (ID = 0)
13:04: ctslogotop.gif (ID = 0)
13:04: amacp.gif (ID = 0)
13:04: ctslogomiddle.gif (ID = 0)
13:04: productcatalog.gif (ID = 0)
13:04: safetytraining.gif (ID = 0)
13:04: aboutcts.gif (ID = 0)
13:04: contact.gif (ID = 0)
13:04: ctslogobottom.gif (ID = 0)
13:04: sendforquote.gif (ID = 0)
13:04: menuend.gif (ID = 0)
13:04: pdficon.gif (ID = 0)
13:04: blackpx.gif (ID = 0)
13:04: trans.gif (ID = 0)
13:04: shadowbg.gif (ID = 0)
13:04: home.gif (ID = 0)
13:04: applic.gif (ID = 0)
13:04: specials.gif (ID = 0)
13:04: rentals.gif (ID = 0)
13:04: contact.gif (ID = 0)
13:04: picosmall.gif (ID = 0)
13:04: home.gif (ID = 0)
13:04: applic.gif (ID = 0)
13:04: specials.gif (ID = 0)
13:04: rentals.gif (ID = 0)
13:04: contact.gif (ID = 0)
13:04: picosmall.gif (ID = 0)
13:09: File Sweep Complete, Elapsed Time: 00:26:49
13:09: Full Sweep has completed. Elapsed time 00:28:30
13:09: Traces Found: 148
13:10: Removal process initiated
13:11: Quarantining All Traces: potentially rootkit-masked files
13:11: potentially rootkit-masked files is in use. It will be removed on reboot.
13:11: tubesandaccuro.jpg is in use. It will be removed on reboot.
13:11: oilrig.gif is in use. It will be removed on reboot.
13:11: oilrig.gif is in use. It will be removed on reboot.
13:11: afcback.gif is in use. It will be removed on reboot.
13:11: afclogo.gif is in use. It will be removed on reboot.
13:11: greygradient.gif is in use. It will be removed on reboot.
13:11: training.gif is in use. It will be removed on reboot.
13:11: links.gif is in use. It will be removed on reboot.
13:11: gradient.gif is in use. It will be removed on reboot.
13:11: gasnewarrow.gif is in use. It will be removed on reboot.
13:11: gasgasarrow.gif is in use. It will be removed on reboot.
13:11: gasisoarrow.gif is in use. It will be removed on reboot.
13:11: gasairarrow.gif is in use. It will be removed on reboot.
13:11: gasotherarrow.gif is in use. It will be removed on reboot.
13:11: gasresparrow.gif is in use. It will be removed on reboot.
13:11: gaswaterarrow.gif is in use. It will be removed on reboot.
13:11: afclogo.gif is in use. It will be removed on reboot.
13:11: greygradient.gif is in use. It will be removed on reboot.
13:11: training.gif is in use. It will be removed on reboot.
13:11: links.gif is in use. It will be removed on reboot.
13:11: gradient.gif is in use. It will be removed on reboot.
13:11: gasnewarrow.gif is in use. It will be removed on reboot.
13:11: gasgasarrow.gif is in use. It will be removed on reboot.
13:11: gasisoarrow.gif is in use. It will be removed on reboot.
13:11: gasairarrow.gif is in use. It will be removed on reboot.
13:11: wmd.gif is in use. It will be removed on reboot.
13:11: gasotherarrow.gif is in use. It will be removed on reboot.
13:11: gasresparrow.gif is in use. It will be removed on reboot.
13:11: gaswaterarrow.gif is in use. It will be removed on reboot.
13:11: afcback.gif is in use. It will be removed on reboot.
13:11: difftube.jpg is in use. It will be removed on reboot.
13:11: ctslogotop.gif is in use. It will be removed on reboot.
13:11: amacp.gif is in use. It will be removed on reboot.
13:11: ctslogomiddle.gif is in use. It will be removed on reboot.
13:11: productcatalog.gif is in use. It will be removed on reboot.
13:11: safetytraining.gif is in use. It will be removed on reboot.
13:11: aboutcts.gif is in use. It will be removed on reboot.
13:11: contact.gif is in use. It will be removed on reboot.
13:11: ctslogobottom.gif is in use. It will be removed on reboot.
13:11: sendforquote.gif is in use. It will be removed on reboot.
13:11: menuend.gif is in use. It will be removed on reboot.
13:11: pdficon.gif is in use. It will be removed on reboot.
13:11: blackpx.gif is in use. It will be removed on reboot.
13:11: trans.gif is in use. It will be removed on reboot.
13:11: shadowbg.gif is in use. It will be removed on reboot.
13:11: home.gif is in use. It will be removed on reboot.
13:11: applic.gif is in use. It will be removed on reboot.
13:11: specials.gif is in use. It will be removed on reboot.
13:11: rentals.gif is in use. It will be removed on reboot.
13:11: contact.gif is in use. It will be removed on reboot.
13:11: picosmall.gif is in use. It will be removed on reboot.
13:11: home.gif is in use. It will be removed on reboot.
13:11: applic.gif is in use. It will be removed on reboot.
13:11: specials.gif is in use. It will be removed on reboot.
13:11: rentals.gif is in use. It will be removed on reboot.
13:11: contact.gif is in use. It will be removed on reboot.
13:11: picosmall.gif is in use. It will be removed on reboot.
13:11: Quarantining All Traces: cws_ns3
13:11: Quarantining All Traces: coolwebsearch (cws)
13:12: Quarantining All Traces: security iguard
13:13: Removal process completed. Elapsed time 00:02:37
********
12:37: | Start of Session, Dienstag, 3. Januar 2006 |
12:37: Spy Sweeper started
12:40: | End of Session, Dienstag, 3. Januar 2006 |
 

athena.c

Thread Starter
Joined
Dec 30, 2005
Messages
9
------------------------------------------------------------------------------
---------------------------------------- 2 nd --------------------------------
------------------------------------------------------------------------------
********
14:17: | Start of Session, Dienstag, 3. Januar 2006 |
14:17: Spy Sweeper started
14:17: Sweep initiated using definitions version 594
14:17: Starting Memory Sweep
14:19: Memory Sweep Complete, Elapsed Time: 00:02:06
14:19: Starting Registry Sweep
14:19: Registry Sweep Complete, Elapsed Time:00:00:12
14:19: Starting Cookie Sweep
14:19: Cookie Sweep Complete, Elapsed Time: 00:00:00
14:19: Starting File Sweep
14:20: Found Adware: cws_tiny0
14:20: a0023762.pif:aogpdw (ID = 200)
14:20: iccsigs.dat:ixjaso (ID = 200)
14:20: ezyxh.txt:xexheb (ID = 204)
14:20: dc55.log:nucfb (ID = 200)
14:20: a0023893.ini:rkdiv (ID = 200)
14:20: kb887472.log:aesyil (ID = 204)
14:20: kb834707-ie6sp1-20040929.091901.log:qqehzp (ID = 204)
14:20: a0023796.exe (ID = 200)
14:20: dc12.log:aesyil (ID = 204)
14:20: _default.pif:rdshsm (ID = 200)
14:20: a0023762.pif:mmrzn (ID = 200)
14:20: Found Adware: coolwebsearch (cws)
14:20: kb893066.log:gdkadz (ID = 216849)
14:20: a0023809.ini:mdvvu (ID = 200)
14:20: a0025084.exe (ID = 200)
14:20: a0023803.ini:mdvvu (ID = 200)
14:20: a0025080.ini:rkdiv (ID = 200)
14:20: stub74.ini:mdvvu (ID = 200)
14:20: a0023867.ini:rkdiv (ID = 200)
14:20: a0023866.ini:repwuc (ID = 204)
14:20: a0023762.pif:uaimgl (ID = 204)
14:20: a0023135.pif:uaimgl (ID = 204)
14:20: a0023145.pif:uaimgl (ID = 204)
14:20: a0023826.ini:rkdiv (ID = 200)
14:20: a0023813.exe (ID = 204)
14:20: orun32.ini:sekmcq (ID = 216849)
14:20: a0023152.pif:uaimgl (ID = 204)
14:20: a0023159.pif:aogpdw (ID = 200)
14:20: stub54.ini:rkdiv (ID = 200)
14:21: a0023900.ini:rkdiv (ID = 200)
14:21: a0024174.ini:rkdiv (ID = 200)
14:21: odbcinst.ini:pscusw (ID = 204)
14:21: dc53.log:hmpmey (ID = 204)
14:21: a0023159.pif:mmrzn (ID = 200)
14:21: kb834707-ie6sp1-20040929.091901.log:qaritj (ID = 204)
14:21: a0023139.ini:pscusw (ID = 204)
14:21: _default.pif:gzzpnw (ID = 216849)
14:21: panose.bin:vzfxvq (ID = 204)
14:21: applu.exe (ID = 204)
14:21: a0023623.ini:wexjpo (ID = 204)
14:21: stub25.ini:wexjpo (ID = 204)
14:21: a0023159.pif:uaimgl (ID = 204)
14:21: q329390.log:wdvsfr (ID = 204)
14:22: a0023164.ini:pscusw (ID = 204)
14:24: iis6.log:atmbac (ID = 204)
14:24: adobereg.db:gntjly (ID = 204)
14:24: vminst.log:xxsnuq (ID = 204)
14:24: a0023582.pif:uaimgl (ID = 204)
14:24: crah32.exe (ID = 204)
14:24: kb840987.log:irxnts (ID = 200)
14:25: stub49.ini:fcapbe (ID = 216849)
14:25: a0023628.ini:fcapbe (ID = 216849)
14:25: a0023559.ini:gxvkz (ID = 200)
14:25: kaffeetasse.bmp:qarzf (ID = 200)
14:25: vb.ini:gxvkz (ID = 200)
14:25: msdfmap.ini:bumlfh (ID = 204)
14:26: dc43.log:iwplhp (ID = 216849)
14:26: stub51.ini:rqpobw (ID = 200)
14:27: phwcs.txt:naqcxt (ID = 200)
14:27: cmsetacl.log:jofuh (ID = 200)
14:27: blaue spitzen 16.bmp:eivoos (ID = 204)
14:27: a0023582.pif:aogpdw (ID = 200)
14:27: a0023582.pif:mmrzn (ID = 200)
14:27: a0023624.ini:gxicmj (ID = 200)
14:27: stub31.ini:gxicmj (ID = 200)
14:27: cmsetacl.log:xiotqd (ID = 200)
14:27: eslbatch.ini:icrenq (ID = 200)
14:28: desktop.ini:pjyzlf (ID = 204)
14:28: fächer.bmp:qfqnyd (ID = 204)
14:29: stub45.ini:repwuc (ID = 204)
14:29: kb899588.log:htkemh (ID = 204)
14:30: a0023135.pif:aogpdw (ID = 200)
14:30: a0023135.pif:mmrzn (ID = 200)
14:30: kb873333.log:hhbfwu (ID = 216849)
14:30: a0023145.pif:aogpdw (ID = 200)
14:30: a0023145.pif:mmrzn (ID = 200)
14:30: a0023152.pif:aogpdw (ID = 200)
14:30: a0023152.pif:mmrzn (ID = 200)
14:42: win.ini:pyktos (ID = 200)
14:42: addly.exe (ID = 204)
14:42: nsreg.dat:qkmijc (ID = 204)
14:42: dc48.log:kmzjge (ID = 204)
14:43: stub17.ini:pogbca (ID = 204)
14:44: a0025085.exe (ID = 204)
14:45: a0023825.ini:repwuc (ID = 204)
14:45: a0023817.ini:repwuc (ID = 204)
14:46: _default.pif:zdztyb (ID = 204)
14:49: q810833.log:ivwqzt (ID = 216849)
14:55: File Sweep Complete, Elapsed Time: 00:35:41
14:55: Full Sweep has completed. Elapsed time 00:38:07
14:55: Traces Found: 87
14:56: Removal process initiated
14:56: Quarantining All Traces: coolwebsearch (cws)
14:56: Quarantining All Traces: cws_tiny0
14:57: Removal process completed. Elapsed time 00:00:46
14:57: Deletion from quarantine initiated
14:57: Processing: coolwebsearch (cws)
14:57: Processing: cws_tiny0
14:57: Deletion from quarantine completed. Elapsed time 00:00:00
********
13:23: | Start of Session, Dienstag, 3. Januar 2006 |
13:23: Spy Sweeper started
13:23: Sweep initiated using definitions version 556
13:23: Starting Memory Sweep
13:24: Memory Sweep Complete, Elapsed Time: 00:01:19
13:24: Starting Registry Sweep
13:24: Registry Sweep Complete, Elapsed Time:00:00:11
13:24: Starting Cookie Sweep
13:24: Cookie Sweep Complete, Elapsed Time: 00:00:00
13:24: Starting File Sweep
13:45: File Sweep Complete, Elapsed Time: 00:20:46
13:45: Full Sweep has completed. Elapsed time 00:22:21
13:45: Traces Found: 0
14:16: Your spyware definitions have been updated.
14:16: Updating spyware definitions
14:16: Your definitions are up to date.
14:17: | End of Session, Dienstag, 3. Januar 2006 |
********
12:40: | Start of Session, Dienstag, 3. Januar 2006 |
12:40: Spy Sweeper started
12:40: Sweep initiated using definitions version 556
12:40: Starting Memory Sweep
12:41: Found Adware: cws_ns3
12:41: Detected running threat: C:\WINDOWS\appgt.exe (ID = 8)
12:41: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || appgt.exe (ID = 0)
12:42: Detected running threat: C:\WINDOWS\system32\javauo.exe (ID = 8)
12:42: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce || javauo.exe (ID = 0)
12:42: Memory Sweep Complete, Elapsed Time: 00:01:25
12:42: Starting Registry Sweep
12:42: HKCR\clsid\{4aeda6fc-6816-f03c-12f8-cde056451f16}\ (10 subtraces) (ID = 117830)
12:42: HKCR\clsid\{85f1c7fc-7359-d6d5-c42b-f3e410db4cad}\ (4 subtraces) (ID = 118285)
12:42: HKCR\clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}\ (ID = 118649)
12:42: HKCR\clsid\{b1169abc-e367-2937-9f96-3b9cb54e0f31}\ (4 subtraces) (ID = 118884)
12:42: HKLM\software\classes\clsid\{4aeda6fc-6816-f03c-12f8-cde056451f16}\ (10 subtraces) (ID = 119704)
12:42: HKLM\software\classes\clsid\{85f1c7fc-7359-d6d5-c42b-f3e410db4cad}\ (4 subtraces) (ID = 120141)
12:42: HKLM\software\classes\clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}\ (ID = 120496)
12:42: HKLM\software\classes\clsid\{b1169abc-e367-2937-9f96-3b9cb54e0f31}\ (4 subtraces) (ID = 120722)
12:42: HKLM\software\microsoft\windows\currentversion\uninstall\hsa\ (2 subtraces) (ID = 123379)
12:42: HKLM\software\microsoft\windows\currentversion\uninstall\se\ (2 subtraces) (ID = 123380)
12:42: HKLM\software\microsoft\windows\currentversion\uninstall\sw\ (2 subtraces) (ID = 123381)
12:42: Registry Sweep Complete, Elapsed Time:00:00:11
12:42: Starting Cookie Sweep
12:42: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:42: Starting File Sweep
12:44: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023570.exe". Zugriff verweigert
12:45: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023522.exe". Zugriff verweigert
12:45: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023521.exe". Zugriff verweigert
12:46: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023523.exe". Zugriff verweigert
12:46: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023524.exe". Zugriff verweigert
12:46: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023526.exe". Zugriff verweigert
12:46: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023553.exe". Zugriff verweigert
12:47: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023529.exe". Zugriff verweigert
12:47: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023525.exe". Zugriff verweigert
12:48: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023527.exe". Zugriff verweigert
12:48: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023528.exe". Zugriff verweigert
12:48: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023530.exe". Zugriff verweigert
12:48: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023532.exe". Zugriff verweigert
12:48: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023533.exe". Zugriff verweigert
12:48: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023534.exe". Zugriff verweigert
12:49: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023535.exe". Zugriff verweigert
12:49: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp261\a0023181.exe". Zugriff verweigert
12:50: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023572.exe". Zugriff verweigert
12:55: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023531.dll". Zugriff verweigert
12:55: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023552.dll". Zugriff verweigert
12:56: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023564.dll". Zugriff verweigert
12:57: Found Adware: security iguard
12:57: chmhelp.chm (ID = 75238)
12:58: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023571.dll". Zugriff verweigert
13:03: Warning: Failed to open file "c:\system volume information\_restore{fe41018b-722e-4b96-9a82-421d8776f668}\rp263\a0023537.exe". Zugriff verweigert
13:04: Found Adware: coolwebsearch (cws)
13:04: online instant loan.url (ID = 130685)
13:04: search the web.url (ID = 54454)
13:04: seven days of free porn.url (ID = 54472)
13:04: credit counseling.url (ID = 130668)
13:04: insurance home.url (ID = 130676)
13:04: mortgage life insurance.url (ID = 130681)
13:04: help desk software.url (ID = 130675)
13:04: videos.url (ID = 130694)
13:04: what is hydrocodone.url (ID = 130695)
13:04: online gambling casino.url (ID = 130684)
13:04: refinancing my mortgage.url (ID = 130691)
13:04: debt credit card.url (ID = 130671)
13:04: fha.url (ID = 130673)
13:04: loan for debt consolidation.url (ID = 130677)
13:04: health insurance.url (ID = 130674)
13:04: personal loans online.url (ID = 130688)
13:04: payroll advance.url (ID = 130687)
13:04: marketing email.url (ID = 130679)
13:04: prescription drugs rx online.url (ID = 130690)
13:04: credit report.url (ID = 130669)
13:04: tahoe vacation rental.url (ID = 130692)
13:04: escorts.url (ID = 130672)
13:04: order phentermine.url (ID = 130686)
13:04: mortgage insurance.url (ID = 130680)
13:04: personal loans with bad credit.url (ID = 130689)
13:04: crm software.url (ID = 130670)
13:04: nevada corporations.url (ID = 130682)
13:04: unsecured bad credit loans.url (ID = 130693)
13:04: loan for people with bad credit.url (ID = 130678)
13:04: broadband comparison.url (ID = 130667)
13:04: online betting site.url (ID = 130683)
13:04: ab scissor.url (ID = 130666)
13:04: only sex website.url (ID = 54373)
13:04: Found System Monitor: potentially rootkit-masked files
13:04: tubesandaccuro.jpg (ID = 0)
13:04: oilrig.gif (ID = 0)
13:04: oilrig.gif (ID = 0)
13:04: afcback.gif (ID = 0)
13:04: afclogo.gif (ID = 0)
13:04: greygradient.gif (ID = 0)
13:04: training.gif (ID = 0)
13:04: links.gif (ID = 0)
13:04: gradient.gif (ID = 0)
13:04: gasnewarrow.gif (ID = 0)
13:04: gasgasarrow.gif (ID = 0)
13:04: gasisoarrow.gif (ID = 0)
13:04: gasairarrow.gif (ID = 0)
13:04: gasotherarrow.gif (ID = 0)
13:04: gasresparrow.gif (ID = 0)
13:04: gaswaterarrow.gif (ID = 0)
13:04: afclogo.gif (ID = 0)
13:04: greygradient.gif (ID = 0)
13:04: training.gif (ID = 0)
13:04: links.gif (ID = 0)
13:04: gradient.gif (ID = 0)
13:04: gasnewarrow.gif (ID = 0)
13:04: gasgasarrow.gif (ID = 0)
13:04: gasisoarrow.gif (ID = 0)
13:04: gasairarrow.gif (ID = 0)
13:04: wmd.gif (ID = 0)
13:04: gasotherarrow.gif (ID = 0)
13:04: gasresparrow.gif (ID = 0)
13:04: gaswaterarrow.gif (ID = 0)
13:04: afcback.gif (ID = 0)
13:04: difftube.jpg (ID = 0)
13:04: ctslogotop.gif (ID = 0)
13:04: amacp.gif (ID = 0)
13:04: ctslogomiddle.gif (ID = 0)
13:04: productcatalog.gif (ID = 0)
13:04: safetytraining.gif (ID = 0)
13:04: aboutcts.gif (ID = 0)
13:04: contact.gif (ID = 0)
13:04: ctslogobottom.gif (ID = 0)
13:04: sendforquote.gif (ID = 0)
13:04: menuend.gif (ID = 0)
13:04: pdficon.gif (ID = 0)
13:04: blackpx.gif (ID = 0)
13:04: trans.gif (ID = 0)
13:04: shadowbg.gif (ID = 0)
13:04: home.gif (ID = 0)
13:04: applic.gif (ID = 0)
13:04: specials.gif (ID = 0)
13:04: rentals.gif (ID = 0)
13:04: contact.gif (ID = 0)
13:04: picosmall.gif (ID = 0)
13:04: home.gif (ID = 0)
13:04: applic.gif (ID = 0)
13:04: specials.gif (ID = 0)
13:04: rentals.gif (ID = 0)
13:04: contact.gif (ID = 0)
13:04: picosmall.gif (ID = 0)
13:09: File Sweep Complete, Elapsed Time: 00:26:49
13:09: Full Sweep has completed. Elapsed time 00:28:30
13:09: Traces Found: 148
13:10: Removal process initiated
13:11: Quarantining All Traces: potentially rootkit-masked files
13:11: potentially rootkit-masked files is in use. It will be removed on reboot.
13:11: tubesandaccuro.jpg is in use. It will be removed on reboot.
13:11: oilrig.gif is in use. It will be removed on reboot.
13:11: oilrig.gif is in use. It will be removed on reboot.
13:11: afcback.gif is in use. It will be removed on reboot.
13:11: afclogo.gif is in use. It will be removed on reboot.
13:11: greygradient.gif is in use. It will be removed on reboot.
13:11: training.gif is in use. It will be removed on reboot.
13:11: links.gif is in use. It will be removed on reboot.
13:11: gradient.gif is in use. It will be removed on reboot.
13:11: gasnewarrow.gif is in use. It will be removed on reboot.
13:11: gasgasarrow.gif is in use. It will be removed on reboot.
13:11: gasisoarrow.gif is in use. It will be removed on reboot.
13:11: gasairarrow.gif is in use. It will be removed on reboot.
13:11: gasotherarrow.gif is in use. It will be removed on reboot.
13:11: gasresparrow.gif is in use. It will be removed on reboot.
13:11: gaswaterarrow.gif is in use. It will be removed on reboot.
13:11: afclogo.gif is in use. It will be removed on reboot.
13:11: greygradient.gif is in use. It will be removed on reboot.
13:11: training.gif is in use. It will be removed on reboot.
13:11: links.gif is in use. It will be removed on reboot.
13:11: gradient.gif is in use. It will be removed on reboot.
13:11: gasnewarrow.gif is in use. It will be removed on reboot.
13:11: gasgasarrow.gif is in use. It will be removed on reboot.
13:11: gasisoarrow.gif is in use. It will be removed on reboot.
13:11: gasairarrow.gif is in use. It will be removed on reboot.
13:11: wmd.gif is in use. It will be removed on reboot.
13:11: gasotherarrow.gif is in use. It will be removed on reboot.
13:11: gasresparrow.gif is in use. It will be removed on reboot.
13:11: gaswaterarrow.gif is in use. It will be removed on reboot.
13:11: afcback.gif is in use. It will be removed on reboot.
13:11: difftube.jpg is in use. It will be removed on reboot.
13:11: ctslogotop.gif is in use. It will be removed on reboot.
13:11: amacp.gif is in use. It will be removed on reboot.
13:11: ctslogomiddle.gif is in use. It will be removed on reboot.
13:11: productcatalog.gif is in use. It will be removed on reboot.
13:11: safetytraining.gif is in use. It will be removed on reboot.
13:11: aboutcts.gif is in use. It will be removed on reboot.
13:11: contact.gif is in use. It will be removed on reboot.
13:11: ctslogobottom.gif is in use. It will be removed on reboot.
13:11: sendforquote.gif is in use. It will be removed on reboot.
13:11: menuend.gif is in use. It will be removed on reboot.
13:11: pdficon.gif is in use. It will be removed on reboot.
13:11: blackpx.gif is in use. It will be removed on reboot.
13:11: trans.gif is in use. It will be removed on reboot.
13:11: shadowbg.gif is in use. It will be removed on reboot.
13:11: home.gif is in use. It will be removed on reboot.
13:11: applic.gif is in use. It will be removed on reboot.
13:11: specials.gif is in use. It will be removed on reboot.
13:11: rentals.gif is in use. It will be removed on reboot.
13:11: contact.gif is in use. It will be removed on reboot.
13:11: picosmall.gif is in use. It will be removed on reboot.
13:11: home.gif is in use. It will be removed on reboot.
13:11: applic.gif is in use. It will be removed on reboot.
13:11: specials.gif is in use. It will be removed on reboot.
13:11: rentals.gif is in use. It will be removed on reboot.
13:11: contact.gif is in use. It will be removed on reboot.
13:11: picosmall.gif is in use. It will be removed on reboot.
13:11: Quarantining All Traces: cws_ns3
13:11: Quarantining All Traces: coolwebsearch (cws)
13:12: Quarantining All Traces: security iguard
13:13: Removal process completed. Elapsed time 00:02:37
13:22: Deletion from quarantine initiated
13:22: Processing: coolwebsearch (cws)
13:22: Processing: cws_ns3
13:22: Processing: potentially rootkit-masked files
13:22: Processing: security iguard
13:22: Deletion from quarantine completed. Elapsed time 00:00:01
13:23: | End of Session, Dienstag, 3. Januar 2006 |
********
12:37: | Start of Session, Dienstag, 3. Januar 2006 |
12:37: Spy Sweeper started
12:40: | End of Session, Dienstag, 3. Januar 2006 |
 

athena.c

Thread Starter
Joined
Dec 30, 2005
Messages
9
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
and here is the Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 16:26:14, on 03.01.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\SigmaTel\C-Major Audio\stacmon.exe
C:\WINDOWS\system32\ICO.EXE
C:\Programme\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Sony\HotKey Utility\HKWnd.exe
C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Dokumente und Einstellungen\Georgios K\Desktop\antivirus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Programme\SigmaTel\C-Major Audio\stacmon.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Programme\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C646B452-E7B1-4322-8A24-FBDFE9114557}: NameServer = 195.244.244.11,195.244.235.10
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe



For the moment i´m only happy.

don´t know how to thank you for your help!!!

nice work, great advice, super contact

thanks!
 

JSntgRvr

José
Retired Moderator and Malware Specialist
Joined
Jul 1, 2003
Messages
18,552
(y) Close all browsers. Run Hijackthis. Place a checkmark on the following lines and click on Fix checked:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing

Turn Off System restore to flush the backup points that also are infected, then turn it back On.

To turn off Windows XP System Restore:

Note: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

Click Start.
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Select "Turn off System Restore" or "Turn off System Restore on all drives" check box.
Click Apply. The following message appears:
As noted in the message, this will delete all existing restore points. Click Yes to do this.
Click OK.


To turn On Windows XP System Restore:

Click Start.
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Clear the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
Click Apply, and then click OK.

System Restore will create regular backups of selected system files and program files.

You can also create a Restore Point on your own:

Start-_All Programs->Accessories->System Tools-> System Restore

Follow instructions on Screen to create a restore point.

Here is some advise from our security Experts to avoid re-infection:

http://forums.techguy.org/t208517.html

Use the thread's Tools and mark this thread as "Solved".

Best wishes!:)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top