1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Help cant del away spywarestrike

Discussion in 'Virus & Other Malware Removal' started by joenic, Jan 25, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. joenic

    joenic Thread Starter

    Joined:
    Jan 25, 2006
    Messages:
    13
    here is my log file

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\khooker.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Joe Heng\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?lc=1033&id=2
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


    Help

    Thks
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Welcome to TSG :)

    That's a very short log. Is that the whole thing?

    * Click here to download smitRem.exe.
    • Save the file to your desktop.
    • It is a self extracting file.
    • Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
    • Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.

    * Download the trial version of Ewido Security Suite here.
    • Install ewido.
    • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    • Launch ewido
    • It will prompt you to update click the OK button and it will go to the main screen
    • On the left side of the main screen click update
    • Click on Start and let it update.
    • DO NOT run a scan yet. You will do that later in safe mode.


    * Click here for info on how to boot to safe mode if you don't already know how.


    * Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in safe mode:


    * Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.


    * Run Ewido:
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • During the scan it will prompt you to clean files, click OK
    • When the scan is finished, look at the bottom of the screen and click the Save report button.
    • Save the report to your desktop


    * Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    * Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.


    * Restart back into Windows normally now.


    * Run ActiveScan online virus scan here

    When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
    - Save the results from the scan!

    Post a new HiJack This log along with the results from ActiveScan and the Ewido scan and post the contents of the smitfiles.txt.
     
  3. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    ^ Replied above ^
     
  4. joenic

    joenic Thread Starter

    Joined:
    Jan 25, 2006
    Messages:
    13
    here is the new HJT file

    Logfile of HijackThis v1.99.1
    Scan saved at 11:02:55 PM, on 1/26/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\khooker.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\SpywareStrike\SpywareStrike.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files\SpywareStrike\SpywareStrike.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Documents and Settings\Joe Heng\Desktop\HijackThis.exe

    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe




    the ewido's

    --------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 1:58:13 AM, 1/26/2006
    + Report-Checksum: A2A66856

    + Scan result:

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
    C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
    C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
    C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][2].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][2].txt -> Spyware.Cookie.Com : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt -> Spyware.Cookie.Com : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt -> Spyware.Cookie.Xxxcounter : Cleaned with backup
    C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
    C:\System Volume Information\_restore{90AC6B72-E1CF-4B78-AB99-3A41731FE67B}\RP9\A0002421.exe -> Downloader.Small.aqu : Cleaned with backup
    C:\System Volume Information\_restore{90AC6B72-E1CF-4B78-AB99-3A41731FE67B}\RP9\A0002422.exe -> Downloader.Small.aqu : Cleaned with backup
    C:\System Volume Information\_restore{90AC6B72-E1CF-4B78-AB99-3A41731FE67B}\RP9\A0002547.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup


    the activescan

    Incident Status Location

    Adware:adware/craft Not disinfected C:\WINDOWS\SYSTEM32\web.exe
    Potentially unwanted tool:application/spywarestrike Not disinfected C:\PROGRAM FILES\SpywareStrike
    Adware:adware/antivirus-gold Not disinfected Windows Registry
    Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][2].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt
    Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt
    Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][2].txt
    Spyware:Cookie/go Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt
    Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][2].txt
    Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][2].txt
    Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt
    Spyware:Cookie/Outster Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt
    Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][2].txt
    Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt
    Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][2].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt
    Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt
    Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][2].txt
    Spyware:Cookie/go Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt
    Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][2].txt
    Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][2].txt
    Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt
    Spyware:Cookie/Outster Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt
    Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][2].txt
    Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Joe Heng\Cookies\joe [email protected][1].txt
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Joe Heng\Desktop\smitRem\Process.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Joe Heng\Desktop\smitRem.exe[Process.exe]
    Adware:Adware/Adsmart Not disinfected C:\lo-883434309.exe
    Adware:Adware/SpywareStrike Not disinfected C:\Program Files\SpywareStrike\SpywareStrike.exe
    Adware:Adware/SpywareStrike Not disinfected C:\Program Files\SpywareStrike\uninst.exe
    Adware:Adware/Adsmart Not disinfected C:\WINDOWS\system32\web.exe


    Pls help!!

    I dun want to reformat my harddisk
     
  5. joenic

    joenic Thread Starter

    Joined:
    Jan 25, 2006
    Messages:
    13
    any1 please????
     
  6. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Download KillBox here: http://www.downloads.subratam.org/KillBox.exe
    Save it to your desktop.
    DO NOT run it yet.

    Rescan with Hijack This.
    Close all browser windows except Hijack This.
    Put a check mark beside these entries and click "Fix Checked".

    O4 - HKLM\..\Run: [SpywareStrike] C:\Program Files\SpywareStrike\SpywareStrike.exe /h

    Boot into Safe Mode.

    * Double click on Killbox.exe to run it.

    Put a tick by Standard File Kill.
    In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

    C:\Program Files\SpywareStrike
    C:\WINDOWS\SYSTEM32\web.exe


    Click on the button that has the red circle with the X in the middle after you enter each file.
    It will ask for confirmation to delete the file.
    Click Yes.
    Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
    Killbox may tell you that one or more files do not exist.
    If that happens, just continue on with all the files. Be sure you don't miss any.
    Next in Killbox go to Tools > Delete Temp Files
    In the window that pops up, put a check by ALL the options there except these three:
    XP Prefetch
    Recent
    History

    Now click the Delete Selected Temp Files button.
    Exit the Killbox.

    Finally go to Control Panel > Internet Options.
    On the General tab under "Temporary Internet Files" Click "Delete Files".
    Put a check by "Delete Offline Content" and click OK.
    Click on the Programs tab then click the "Reset Web Settings" button.
    Click Apply then OK.

    Empty the Recycle Bin.

    Reboot, post a new Hijack This log.
     
  7. joenic

    joenic Thread Starter

    Joined:
    Jan 25, 2006
    Messages:
    13
    this is the new HJT log

    Logfile of HijackThis v1.99.1
    Scan saved at 12:55:07 PM, on 1/28/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SiSUSBrg.exe
    C:\WINDOWS\System32\khooker.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\tftp.exe
    C:\Documents and Settings\Joe Heng\Desktop\HijackThis.exe

    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
     
  8. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    How are things now?
     
  9. joenic

    joenic Thread Starter

    Joined:
    Jan 25, 2006
    Messages:
    13
    the icon on the taskbar and the destop shortcut is still there.

    Is it supposed to be like this??

    Thks!!
     
  10. cfa-ddg2

    cfa-ddg2

    Joined:
    Oct 30, 2005
    Messages:
    175
    Unless you update your WindowsXP to SP1, you are wasting your time...you will be re-infected quickly. You should do this immediately.

    After you are clean, you need to update to SP2 with all the latest security updates..but do not try and update to SP2 before your system is CLEAN!
     
  11. joenic

    joenic Thread Starter

    Joined:
    Jan 25, 2006
    Messages:
    13
    the last time i used SP2 it brought a lot of problems with it so when i reformat my hardisk is dun bother to DL it
     
  12. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Please check in Add/Remove Programs for SpywareStrike. If it's there, uninstall it. Then post a new Hijack This log.
     
  13. joenic

    joenic Thread Starter

    Joined:
    Jan 25, 2006
    Messages:
    13
    here is the new HJT log

    Logfile of HijackThis v1.99.1
    Scan saved at 4:52:10 AM, on 1/29/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\khooker.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Documents and Settings\Joe Heng\Desktop\HijackThis.exe

    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe



    i have go to the remove/add programs and remove the program but the taskbar and the program is still on the desktop
     
  14. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Run Kaspersky online virus scan here: http://www.kaspersky.com/virusscanner

    When given the option, choose the "Extended database" for the scan.
    When it's finished, save the results from the scan and post them here.
     
  15. joenic

    joenic Thread Starter

    Joined:
    Jan 25, 2006
    Messages:
    13
    Hi This is the kaspersky log
    -------------------------------------------------------------------------------
    KASPERSKY ON-LINE SCANNER REPORT
    Sunday, January 29, 2006 12:41:50
    Operating System: Microsoft Windows XP Home Edition, (Build 2600)
    Kaspersky On-line Scanner version: 5.0.67.0
    Kaspersky Anti-Virus database last update: 29/01/2006
    Kaspersky Anti-Virus database records: 173681
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\

    Scan Statistics:
    Total number of scanned objects: 25832
    Number of viruses found: 7
    Number of infected objects: 14
    Number of suspicious objects: 0
    Duration of the scan process: 1471 sec

    Infected Object Name - Virus Name
    C:\!KillBox\web.exe Infected: Trojan-Downloader.Win32.Tibs.bv
    C:\lo-883434309.exe Infected: Trojan-Downloader.Win32.Tibs.bv
    C:\System Volume Information\_restore{90AC6B72-E1CF-4B78-AB99-3A41731FE67B}\RP8\A0000802.exe Infected: Trojan-Downloader.Win32.Zlob.bv
    C:\System Volume Information\_restore{90AC6B72-E1CF-4B78-AB99-3A41731FE67B}\RP9\A0002256.exe Infected: Trojan-Downloader.Win32.Tibs.bv
    C:\System Volume Information\_restore{90AC6B72-E1CF-4B78-AB99-3A41731FE67B}\RP9\A0002423.exe Infected: Trojan-PSW.Win32.Agent.eo
    C:\System Volume Information\_restore{90AC6B72-E1CF-4B78-AB99-3A41731FE67B}\RP9\A0002424.exe Infected: Trojan-Downloader.Win32.Tibs.bv
    C:\System Volume Information\_restore{90AC6B72-E1CF-4B78-AB99-3A41731FE67B}\RP9\A0002549.dll Infected: Trojan-Downloader.Win32.Zlob.fh
    C:\System Volume Information\_restore{90AC6B72-E1CF-4B78-AB99-3A41731FE67B}\RP9\A0002550.dll Infected: Trojan-Downloader.Win32.Zlob.fh
    C:\System Volume Information\_restore{90AC6B72-E1CF-4B78-AB99-3A41731FE67B}\RP9\A0002552.dll Infected: Trojan-Downloader.Win32.Zlob.fh
    C:\System Volume Information\_restore{90AC6B72-E1CF-4B78-AB99-3A41731FE67B}\RP9\A0002559.exe Infected: Trojan-Downloader.Win32.Zlob.fj
    C:\System Volume Information\_restore{90AC6B72-E1CF-4B78-AB99-3A41731FE67B}\RP9\A0002560.exe Infected: Trojan-Downloader.Win32.Zlob.fg
    C:\System Volume Information\_restore{90AC6B72-E1CF-4B78-AB99-3A41731FE67B}\RP9\A0002564.dll Infected: Trojan-Downloader.Win32.Zlob.fh
    C:\System Volume Information\_restore{90AC6B72-E1CF-4B78-AB99-3A41731FE67B}\RP9\A0002706.exe Infected: Trojan-Downloader.Win32.Tibs.bv
    C:\WINDOWS\system32\replmap.dll Infected: not-virus:Hoax.Win32.Renos.v

    Scan process completed.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/437167

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice