1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Help Needed

Discussion in 'Virus & Other Malware Removal' started by Xtal, Jan 26, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. Xtal

    Xtal Thread Starter

    Joined:
    Jan 26, 2006
    Messages:
    21
    Hey have a problem with my comp and im hoping someone here can help!
    To be honest im not great with computers so i hope ul be patient wit me.

    My problem is as follows my background constantly changes and to yellow with a box in the center saying your computer has been infected with spyware and so on and has links to download adwarepunisher! No matter how many times i change the background this will always come back after a few seconds! Another thing that happens is internet explorer opening up randomly with http://statcash/sys/redirect.php?advID=15 in the address bar!

    Anyone have any ideas on how i can fix this??
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    hi, welcome to TSG.

    Download hijack this from the link below.Please do this. Click here:

    http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

    to download HijackThis. Click scan and save a logfile, then post it here so
    we can take a look at it for you. Don't click fix on anything in hijack this
    as most of the files are legitimate.
     
  3. Xtal

    Xtal Thread Starter

    Joined:
    Jan 26, 2006
    Messages:
    21
    Logfile of HijackThis v1.99.1
    Scan saved at 14:38:32, on 26/01/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\system32\hphmon06.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Valve\Steam\Steam.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\system32\shell386.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\Documents and Settings\Gavin\Desktop\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2&b=pol
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2&b=pol
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2&b=pol
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2&b=pol
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: winapi32.MyBHO - {B439D5EB-0A61-4ED9-8C8F-EC4148BB23F7} - C:\WINDOWS\system32\winapi32.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\System32\spm1316.dll (file missing)
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
    O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100272947218
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: avras - C:\WINDOWS\SERVIC~1\avras.dll (file missing)
    O20 - Winlogon Notify: ipcab - C:\WINDOWS\security\Database\ipcab.dll (file missing)
    O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\kjdinmar.dll (file missing)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
     
  4. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Before you proceed with the removal directions below you need to turn off MS
    Anti-Spyware's realtime protection as it will interfere with the changes we
    are trying to make.

    Open MS Anti-Spyware and click on Options > Settings. Click on "Realtime
    Protection" in the left pane.

    Remove the check by these:

    "Enable the Microsoft Security Agents on startup (recommended)"

    "Enable real-time spyware threat protection (recommended)"

    Click "Save"

    Now right click the MS Anti-spyware icon in your system tray and choose
    "Shutdown Microsoft Anti-Spyware"

    You should re-enable these when we are finished here.


    Also disable ewidoguard as well!



    you have two anti virus programs running : AVG7 And Avast, get rid of one and keep the other as they will conflict with each other and make your computer unstable!



    you don't appear to have a firewall, even if you have a router you still need
    a software frewall, downlaod the one from the link below!

    Filseclab Personal Firewall Professional Edition

    http://www.filseclab.com/eng/download/downloads.htm

    http://www.wilderssecurity.com/showthread.php?t=92710




    Download the pocket killbox

    http://www.bleepingcomputer.com/files/killbox.php


    * Click here to download smitRem.zip.


    http://noahdfear.geekstogo.com/click counter/click.php?id=1




    * Save the file to your desktop.
    * Unzip smitRem.zip to extract the two files it contains.
    * Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.



    *Download Cleanup from Here


    http://www.stevengould.org/software/cleanup/download.html



    * A window will open and choose SAVE, then DESKTOP as the destination.
    * On your Desktop, click on Cleanup40.exe icon.
    * Then, click RUN and place a checkmark beside "I Agree"
    * Then click NEXT followed by START and OK.
    * A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
    * Click OK
    * DO NOT RUN IT YET



    * Download the trial version of Ewido Security Suite.

    http://www.ewido.net/en/


    * Install ewido.
    * During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    * Launch ewido
    * It will prompt you to update click the OK button and it will go to the main screen
    * On the left side of the main screen click update
    * Click on Start and let it update.
    * DO NOT run a scan yet. You will do that later in safe mode.



    * Click here for info on how to boot to safe mode if you don't already know how.


    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



    * Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in safe mode:


    * Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"


    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2&b=pol
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://nonstopsearch.com/?a=2&b=pol
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2&b=pol
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://nonstopsearch.com/?a=2&b=pol
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: winapi32.MyBHO - {B439D5EB-0A61-4ED9-8C8F-EC4148BB23F7} - C:\WINDOWS\system32\winapi32.dll
    O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\System32\spm1316.dll (file missing)
    O20 - Winlogon Notify: avras - C:\WINDOWS\SERVIC~1\avras.dll (file missing)
    O20 - Winlogon Notify: ipcab - C:\WINDOWS\security\Database\ipcab.dll (file missing)
    O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\kjdinmar.dll (file missing)



    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
    In the Full Path of File to Delete box, copy and paste each of the following
    lines one at a time then click on the button that has the red circle with the
    X in the middle after you enter each file. It will ask for confirmation to
    delete the file. Click Yes. Continue with that same procedure until you have
    copied and pasted all of these in the Paste Full Path of File to Delete box.



    Note: It is possible that Killbox will tell you that one or more files do not
    exist. If that happens, just continue on with all the files. Be sure you
    don't miss any.



    C:\WINDOWS\system32\winapi32.dll
    C:\WINDOWS\system32\shell386.exe



    * Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.



    * Run Ewido:

    * Click on scanner
    * Click Complete System Scan and the scan will begin.
    * During the scan it will prompt you to clean files, click OK
    * When the scan is finished, look at the bottom of the screen and click the Save report button.
    * Save the report to your desktop


    * Run Cleanup:

    * Click on the "Cleanup" button and let it run.
    * Once its done, close the program.


    * Go to Control Panel > Internet Options. Click on the Programs tab then
    click the "Reset Web Settings" button. Click Apply then OK.



    * Next go to Control Panel > Display. Click on the "Desktop" tab then click
    the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you
    should see an entry checked called something like "Security info" or similar.
    If it is there, select that entry and click the "Delete" button. Click OK
    then Apply and OK.


    * Restart back into Windows normally now.


    Run an online antivirus check from

    http://www.kaspersky.com/virusscanner



    * Run ActiveScan online virus scan here

    http://www.pandasoftware.com/products/activescan.htm


    When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
    - Save the results from the scan!


    post another hijack this log, the ewido and active scan logs and
    the contents of smitfiles.txt from the smitRem folder
     
  5. Xtal

    Xtal Thread Starter

    Joined:
    Jan 26, 2006
    Messages:
    21
    Did everything you said all the logs are posted below although there was no smitfiles.txt in the smitrem folder!

    Logfile of HijackThis v1.99.1
    Scan saved at 17:44:05, on 26/01/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\system32\hphmon06.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Valve\Steam\Steam.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\SYSTEM32\notepad.exe
    C:\Program Files\Winamp\Winamp.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Gavin\Desktop\HJT\HijackThis.exe

    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
    O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100272947218
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe



    ---------------------------------------------------------
    e
     
  6. Xtal

    Xtal Thread Starter

    Joined:
    Jan 26, 2006
    Messages:
    21
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 16:35:06, 26/01/2006
    + Report-Checksum: 30911005

    + Scan result:

    HKLM\SOFTWARE\Classes\ddm_download.ddm_control -> Spyware.Adlogix : Cleaned with backup
    HKLM\SOFTWARE\Classes\ddm_download.ddm_control\Clsid -> Spyware.Adlogix : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{2BDB4DA9-94FE-4034-AAC5-CEECDCB3A33B} -> Spyware.Adlogix : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{4D8E41A8-EC1F-4C53-A10D-9120232C71BB} -> Spyware.Adlogix : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{CF021F3F-3E14-23A5-CBA2-7173706D1316} -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\SPM1316.SPM1316 -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\SPM1316.SPM1316\CurVer -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\SPM1316.SPM1316.1 -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{CF021F32-3E14-23A5-CBA2-7173706D1316} -> Spyware.CoolWebSearch : Cleaned with backup
    HKU\S-1-5-21-3407342370-1750163401-2417308566-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CF021F40-3E14-23A5-CBA2-7173706D1316} -> Spyware.MakeMeSearch : Cleaned with backup
    HKU\S-1-5-21-3407342370-1750163401-2417308566-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CF021F40-3E14-23A5-CBA2-7173706D1316} -> Spyware.MakeMeSearch : Cleaned with backup
    :mozilla.15:C:\Documents and Settings\Gavin\Application Data\Mozilla\Firefox\Profiles\jis7bzh9.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    :mozilla.30:C:\Documents and Settings\Gavin\Application Data\Mozilla\Firefox\Profiles\jis7bzh9.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    :mozilla.31:C:\Documents and Settings\Gavin\Application Data\Mozilla\Firefox\Profiles\jis7bzh9.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    :mozilla.32:C:\Documents and Settings\Gavin\Application Data\Mozilla\Firefox\Profiles\jis7bzh9.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    :mozilla.33:C:\Documents and Settings\Gavin\Application Data\Mozilla\Firefox\Profiles\jis7bzh9.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    :mozilla.34:C:\Documents and Settings\Gavin\Application Data\Mozilla\Firefox\Profiles\jis7bzh9.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    :mozilla.42:C:\Documents and Settings\Gavin\Application Data\Mozilla\Firefox\Profiles\jis7bzh9.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    :mozilla.49:C:\Documents and Settings\Gavin\Application Data\Mozilla\Firefox\Profiles\jis7bzh9.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    :mozilla.50:C:\Documents and Settings\Gavin\Application Data\Mozilla\Firefox\Profiles\jis7bzh9.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    :mozilla.51:C:\Documents and Settings\Gavin\Application Data\Mozilla\Firefox\Profiles\jis7bzh9.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    :mozilla.52:C:\Documents and Settings\Gavin\Application Data\Mozilla\Firefox\Profiles\jis7bzh9.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
    :mozilla.53:C:\Documents and Settings\Gavin\Application Data\Mozilla\Firefox\Profiles\jis7bzh9.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
    :mozilla.55:C:\Documents and Settings\Gavin\Application Data\Mozilla\Firefox\Profiles\jis7bzh9.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
    :mozilla.60:C:\Documents and Settings\Gavin\Application Data\Mozilla\Firefox\Profiles\jis7bzh9.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
    C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-593ebb39-71ef1ea5.class -> Downloader.OpenStream.y : Cleaned with backup
    C:\Documents and Settings\Gavin\Cookies\[email protected][1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Gavin\Cookies\[email protected][1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
    C:\Documents and Settings\Gavin\Cookies\[email protected][1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\Gavin\Cookies\[email protected][1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
    C:\Documents and Settings\Gavin\Cookies\[email protected][1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
    C:\Documents and Settings\Gavin\Cookies\[email protected][2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\Gavin\Cookies\[email protected][1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Karl\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Karl\Cookies\[email protected][2].txt -> Spyware.Cookie.Com : Cleaned with backup
    C:\Documents and Settings\Karl\Cookies\[email protected][1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
    C:\Documents and Settings\Karl\Cookies\[email protected][1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\6BC3F307-D098-4FBD-9977-3D9BDA\E7F95CBE-7AE4-4134-A006-0F75BB -> Spyware.VirtualBouncer : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\897322DD-A22E-49BF-B8E4-71C63E\868E35C0-3772-4754-AE96-2DA49E -> Spyware.NavExcel : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\897322DD-A22E-49BF-B8E4-71C63E\9EEC2874-ED23-48B7-A050-2AAA68 -> Adware.NavExcel : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP798\A0120580.dll -> Spyware.NavExcel : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP798\A0120583.exe -> Adware.SAHA : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP799\A0121526.exe -> Adware.CashDeluxe : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP799\A0121682.exe -> Adware.CashDeluxe : Cleaned with backup
    C:\WINDOWS\SYSTEM32\70tovmto.ini -> Adware.SAHA : Cleaned with backup
    C:\WINDOWS\SYSTEM32\c36bHs.dll/bi.dll -> Trojan.Bispy.A : Cleaned with backup
    C:\WINDOWS\SYSTEM32\c36bHs.dll/biprep.exe -> Trojan.Bispy.B : Cleaned with backup
    C:\WINDOWS\SYSTEM32\c36bHs.dll/bi.dll -> Trojan.Bispy.A : Cleaned with backup
    C:\WINDOWS\SYSTEM32\c36bHs.dll/biprep.exe -> Trojan.Bispy.B : Cleaned with backup
    C:\WINDOWS\SYSTEM32\intxt.exe -> Adware.CashDeluxe : Cleaned with backup


    ::Report End



    Incident Status Location

    Adware:adware/cashdeluxe Not disinfected C:\WINDOWS\SYSTEM32\mswinb32.dll
    Adware:adware/startpage.aao Not disinfected C:\WINDOWS\SYSTEM32\wuclient.dat
    Spyware:spyware/betterinet Not disinfected C:\WINDOWS\INF\biini.inf
    Adware:adware/razespyware Not disinfected C:\WINDOWS\adw.htm
    Adware:adware/gator Not disinfected C:\WINDOWS\GatorHDPlugin.log-old.log
    Adware:adware/twain-tech Not disinfected C:\WINDOWS\satmat.ini
    Adware:adware/atlas Not disinfected C:\WINDOWS\switpc.dat
    Adware:adware/dollarrevenue Not disinfected C:\PROGRAM FILES\COMMON FILES\VCClient
    Adware:adware/kudd Not disinfected Windows Registry
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.jar-31224f6f-4664e667.zip[BlackBox.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.jar-31224f6f-4664e667.zip[VerifierBug.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.jar-31224f6f-4664e667.zip[Dummy.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-638a4d15-1109f14b.zip[BlackBox.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-638a4d15-1109f14b.zip[VB.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-638a4d15-1109f14b.zip[Dummy.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-638a4d15-1109f14b.zip[Beyond.class]
    Virus:Trj/ClassLoader.U Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-5211f23a-28707304.zip[BlackBox.class]
    Virus:Trj/ClassLoader.V Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-5211f23a-28707304.zip[VB.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-5211f23a-28707304.zip[Dummy.class]
    Virus:Trj/Downloader.HAS Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-5211f23a-28707304.zip[Beyond.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f8050ce-437676f7.zip[GetAccess.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f8050ce-437676f7.zip[InsecureClassLoader.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f8050ce-437676f7.zip[Dummy.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f8050ce-437676f7.zip[Installer.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-32d69727-33f67b6f.zip[GetAccess.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-32d69727-33f67b6f.zip[InsecureClassLoader.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-32d69727-33f67b6f.zip[Dummy.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-32d69727-33f67b6f.zip[Installer.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv314.jar-5ed3b975-5433c0de.zip[Counter.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv314.jar-5ed3b975-5433c0de.zip[Dummy.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv314.jar-5ed3b975-5433c0de.zip[Matrix.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv314.jar-5ed3b975-5433c0de.zip[Parser.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv343.jar-63e42bd1-25158fb9.zip[Counter.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv343.jar-63e42bd1-25158fb9.zip[Dummy.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv343.jar-63e42bd1-25158fb9.zip[Matrix.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Gavin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv343.jar-63e42bd1-25158fb9.zip[Parser.class]
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Gavin\Desktop\smitRem\Process.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Gavin\Desktop\smitRem.exe[Process.exe]
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Gavin\Local Settings\Application Data\Mozilla\Firefox\Profiles\jis7bzh9.default\Cache\3EFBEAA3d01[Process.exe]
    Adware:Adware/AzeSearch Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\4FDAB70F-D112-477E-A64C-F2332C\614276D4-09CB-47D0-88ED-0CD770
    Adware:Adware/Ucmore Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9F8FE6AE-30A8-432E-BEAC-18EE5D\4AE99037-F1A3-42FC-BD63-B477EE
    Adware:Adware/Ucmore Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\9F8FE6AE-30A8-432E-BEAC-18EE5D\EAD9D98D-F90D-4C97-BB7E-B329FA
    Adware:Adware/AzeSearch Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\F4714DB7-1F67-4F73-BF31-E63E2E\38F904D2-77C1-4B3B-9D37-DF028D
    Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\INF\biH.inf
    Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\biini.inf
    Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\satmat.inf
    Adware:Adware/IPInsight Not disinfected C:\WINDOWS\satmat.ini
    Adware:Adware/VirtualBouncer Not disinfected C:\WINDOWS\SYSTEM32\BO2803040113.exe
     
  7. Xtal

    Xtal Thread Starter

    Joined:
    Jan 26, 2006
    Messages:
    21
    Actually just find the smitfiles its as follows


    smitRem © log file
    version 2.8

    by noahdfear


    Microsoft Windows XP [Version 5.1.2600]
    The current date is: 26/01/2006
    The current time is: 15:38:44.37

    Running from
    C:\Documents and Settings\Gavin\Desktop\smitRem
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    checking for ShudderLTD key

    ShudderLTD key not present!

    checking for PSGuard.com key


    PSGuard.com key not present!


    checking for WinHound.com key


    WinHound.com key not present!

    spyaxe uninstaller NOT present
    Winhound uninstaller NOT present
    SpywareStrike uninstaller NOT present

    Existing Pre-run Files


    ~~~ Program Files ~~~



    ~~~ Shortcuts ~~~



    ~~~ Favorites ~~~



    ~~~ system32 folder ~~~



    ~~~ Icons in System32 ~~~



    ~~~ Windows directory ~~~



    ~~~ Drive root ~~~


    ~~~ Miscellaneous Files/folders ~~~




    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Killing PID 756 'explorer.exe'
    Killing PID 756 'explorer.exe'

    Starting registry repairs

    Registry repairs complete

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    SharedTask Export after registry fix

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


    Deleting files


    Remaining Post-run Files


    ~~~ Program Files ~~~



    ~~~ Shortcuts ~~~



    ~~~ Favorites ~~~



    ~~~ system32 folder ~~~



    ~~~ Icons in System32 ~~~



    ~~~ Windows directory ~~~



    ~~~ Drive root ~~~



    ~~~ Miscellaneous Files/folders ~~~




    ~~~ Wininet.dll ~~~

    CLEAN! :)
     
  8. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    * Restart your computer into safe mode now. Perform the following steps in
    safe mode:


    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
    In the Full Path of File to Delete box, copy and paste each of the following
    lines one at a time then click on the button that has the red circle with the
    X in the middle after you enter each file. It will ask for confirmation to
    delete the file. Click Yes. Continue with that same procedure until you have
    copied and pasted all of these in the Paste Full Path of File to Delete box.



    Note: It is possible that Killbox will tell you that one or more files do not
    exist. If that happens, just continue on with all the files. Be sure you
    don't miss any.



    C:\WINDOWS\SYSTEM32\mswinb32.dll
    C:\WINDOWS\SYSTEM32\wuclient.dat
    C:\WINDOWS\INF\biini.inf
    C:\WINDOWS\adw.htm
    C:\WINDOWS\GatorHDPlugin.log-old.log
    C:\WINDOWS\satmat.ini
    C:\WINDOWS\switpc.dat
    C:\WINDOWS\INF\biH.inf
    C:\WINDOWS\INF\biini.inf
    C:\WINDOWS\INF\satmat.inf
    C:\WINDOWS\SYSTEM32\BO2803040113.exe


    reboot back to normal mode and download and run these tools!



    Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

    http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129


    * Click the Free Trial link under "Downloads/SpySweeper" to download the program.
    * Install it. Once the program is installed, it will open.
    * It will prompt you to update to the latest definitions, click Yes.
    * Once the definitions are installed, click Options on the left side.
    * Click the Sweep Options tab.
    * Under What to Sweep please put a check next to the following:
    o
    o Sweep Memory
    o Sweep Registry
    o Sweep Cookies
    o Sweep All User Accounts
    o Enable Direct Disk Sweeping
    o Sweep Contents of Compressed Files
    o Sweep for Rootkits
    o Please UNCHECK Do not Sweep System Restore Folder.
    * Click Sweep Now on the left side.
    * Click the Start button.
    * When it's done scanning, click the Next button.
    * Make sure everything has a check next to it, then click the Next button.
    * It will remove all of the items found.
    * Click Session Log in the upper right corner, copy everything in that window.
    * Click the Summary tab and click Finish.
    * Paste the contents of the session log you copied into your next reply.




    go to this site and download these tools and once you get both
    adaware Se 1.6 and spybot, update both of them.

    Set adaware to do a full system scan and deselect, "search for neglible risk
    entries". Click next to start the scan. Delete everything adaware finds.

    reboot and now run spybot

    Spybot: Search and destroy.

    Delete what spybot finds marked in red. After updating spybot hit the
    immunize button.

    reboot again


    With CWshredder close all browsers and programmes and select the FIX button.



    Go here and download Microsoft Antispyware Beta. First in the top menu click
    File then Check for updates to download the definitons updates.

    After updating look in the right side of the main window under "Run Quick
    Scan Now" and click Spyware scan options. In that window put a tick by Run a
    full system scan and then put a check by all three options below that then
    click Run Scan now.

    When the scan is finished, let it fix anything that it finds (have it
    quarantine the items that have that option rather than delete just in case.
    It is a beta program and there may be false positives)

    Restart your computer.


    All tools can be downloaded at the link below and found on that page!


    . Trend micro CWShredder
    . SpyBot search and destroy
    . AdAware SE personal


    http://www.majorgeeks.com/downloads31.html



    Also post a new Hijack This log and the spysweeper log!
     
  9. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Also do this to make your computer run faster!


    go to start/run/type msconfig/tick the radial dial selective startup/click
    the startup tab/ uncheck these boxes then click ok and then exit!


    PCMService
    DVDSentry
    NeroFilterCheck
    QuickTime Task
    nwiz
    HPDJ Taskbar Utility
    HP Software Update
    Component Manager
    HPHmon06
    NvMediaCenter
    WinampAgent
    Yahoo! Pager
    WinZip


    put this file below through the killbox!

    C:\PROGRAM FILES\COMMON FILES\VCClient
     
  10. Xtal

    Xtal Thread Starter

    Joined:
    Jan 26, 2006
    Messages:
    21
    Logfile of HijackThis v1.99.1
    Scan saved at 22:29:39, on 26/01/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\system32\hphmon06.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Valve\Steam\Steam.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Gavin\Desktop\HJT\HijackThis.exe

    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1100272947218
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    ********
    18:59: | Start of Session, 26 January 2006 |
    18:59: Spy Sweeper started
    18:59: Sweep initiated using definitions version 606
    18:59: Starting Memory Sweep
    19:03: Memory Sweep Complete, Elapsed Time: 00:03:32
    19:03: Starting Registry Sweep
    19:03: Found Adware: adlogix
    19:03: HKCR\clsid\{f5192746-22d6-41bd-9d2d-1e75d14fbd3c}\ (28 subtraces) (ID = 102884)
    19:03: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/test.ocx\ (2 subtraces) (ID = 103108)
    19:03: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\test.ocx (ID = 103141)
    19:03: Found Adware: cws_ns3
    19:03: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\webdlg32.dll (ID = 123378)
    19:03: Found Trojan Horse: trojan_backdoor_retro64
    19:03: HKCR\interface\{450b9e4d-4014-4de3-b34e-014a81468293}\ (8 subtraces) (ID = 144995)
    19:03: HKLM\software\classes\interface\{450b9e4d-4014-4de3-b34e-014a81468293}\ (8 subtraces) (ID = 145000)
    19:03: HKLM\software\classes\typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7}\ (9 subtraces) (ID = 145003)
    19:03: HKCR\typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7}\ (9 subtraces) (ID = 145004)
    19:03: Found Adware: winad
    19:03: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/adtoolsx.dll\ (2 subtraces) (ID = 147188)
    19:03: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\adtoolsx.dll (ID = 147215)
    19:03: Found Adware: interads
    19:03: HKLM\software\interads\ (20545 subtraces) (ID = 645794)
    19:03: Found Trojan Horse: trojan-downloader-conhook
    19:03: HKCR\clsid\{8e13dde1-e013-47ec-9c4c-27c2f78bdd26}\ (3 subtraces) (ID = 834750)
    19:03: HKLM\software\classes\clsid\{8e13dde1-e013-47ec-9c4c-27c2f78bdd26}\ (3 subtraces) (ID = 834754)
    19:03: Found Adware: cashdeluxe
    19:03: HKCR\winapi32.intelinks\ (3 subtraces) (ID = 1106874)
    19:03: HKCR\winapi32.mybaner\ (3 subtraces) (ID = 1106878)
    19:03: HKCR\winapi32.mybho\ (3 subtraces) (ID = 1106882)
    19:03: HKLM\software\classes\winapi32.intelinks\ (3 subtraces) (ID = 1106938)
    19:03: HKLM\software\classes\winapi32.mybaner\ (3 subtraces) (ID = 1106942)
    19:03: HKLM\software\classes\winapi32.mybho\ (3 subtraces) (ID = 1106946)
    19:03: HKCR\clsid\{1c044aad-7955-4cbd-8175-501a165c4e5d}\ (2 subtraces) (ID = 1124641)
    19:03: HKLM\software\classes\clsid\{1c044aad-7955-4cbd-8175-501a165c4e5d}\ (2 subtraces) (ID = 1124644)
    19:03: Found Adware: internetoptimizer
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1010\software\avenue media\ (ID = 128887)
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1009\software\avenue media\ (ID = 128887)
    19:03: Found Adware: 180search assistant/zango
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1009\software\180solutions\ (7 subtraces) (ID = 135617)
    19:03: Found Adware: ist sidefind
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1009\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
    19:03: Found Adware: twain-tech
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1009\software\mxtarget\ (6 subtraces) (ID = 145343)
    19:03: Found Adware: dapsol dialer
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1008\software\microsoft\internet explorer\main\ || conc (ID = 124673)
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1008\software\avenue media\ (ID = 128887)
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1008\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
    19:03: Found Adware: tibs dialer
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1008\software\websiteviewer\ (2 subtraces) (ID = 143751)
    19:03: Found Adware: trojan-svs_nonstopsearch.com hijacker
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1008\software\microsoft\internet explorer\main\ || start page (ID = 144963)
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1008\software\microsoft\internet explorer\main\ || start page (ID = 144964)
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1008\software\microsoft\internet explorer\searchurl\ || searchurl (ID = 144969)
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1008\software\microsoft\internet explorer\ || searchurl (ID = 144971)
    19:03: Found Trojan Horse: trojan_downloader_svs
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1008\software\microsoft\windows\currentversion\run\ || windows update client (ID = 145058)
    19:03: Found Adware: tubby toolbar
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1008\software\mtc mtc\ (6 subtraces) (ID = 145274)
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1008\software\mxtarget\ (15 subtraces) (ID = 145343)
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1007\software\microsoft\internet explorer\main\ || conc (ID = 124673)
    19:03: Found Adware: iwantsearch
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1007\software\microsoft\internet explorer\urlsearchhooks\ || {30192f8d-0958-44e6-b54d-331fd39ac959} (ID = 125909)
    19:03: Found Adware: ez-finder toolbar
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1007\software\microsoft\internet explorer\urlsearchhooks\ || {30192f8d-0958-44e6-b54d-331fd39ac959} (ID = 125909)
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1007\software\serg\ (2 subtraces) (ID = 125912)
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1007\software\serg\ (2 subtraces) (ID = 125912)
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1007\software\avenue media\ (ID = 128887)
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1007\software\microsoft\internet explorer\main\ || search bar (ID = 144961)
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1007\software\microsoft\internet explorer\main\ || start page (ID = 144963)
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1007\software\microsoft\internet explorer\main\ || start page (ID = 144964)
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1007\software\microsoft\internet explorer\searchurl\ || searchurl (ID = 144969)
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1007\software\microsoft\internet explorer\ || searchurl (ID = 144971)
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1007\software\microsoft\windows\currentversion\run\ || windows update client (ID = 145058)
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1007\software\mtc mtc\ (6 subtraces) (ID = 145274)
    19:03: HKU\WRSS_Profile_S-1-5-21-3407342370-1750163401-2417308566-1007\software\mxtarget\ (21 subtraces) (ID = 145343)
    19:03: Found Adware: kudd.com adware
    19:03: HKU\S-1-5-21-3407342370-1750163401-2417308566-1006\software\northcode inc\swf studio\variables\chooseyourpresident\ (1 subtraces) (ID = 129719)
    19:03: HKU\S-1-5-21-3407342370-1750163401-2417308566-1006\software\northcode inc\swf studio\variables\faces-of-bush\ (1 subtraces) (ID = 129720)
    19:03: HKU\S-1-5-20\software\microsoft\internet explorer\main\ || search bar (ID = 144961)
    19:03: HKU\S-1-5-20\software\microsoft\internet explorer\main\ || search page (ID = 144962)
    19:03: HKU\S-1-5-20\software\microsoft\internet explorer\search\ || searchassistant (ID = 144967)
    19:03: HKU\S-1-5-20\software\microsoft\internet explorer\searchurl\ || searchurl (ID = 144969)
    19:03: HKU\S-1-5-20\software\microsoft\internet explorer\ || searchurl (ID = 144971)
    19:03: HKU\S-1-5-19\software\microsoft\internet explorer\main\ || search bar (ID = 144961)
    19:03: HKU\S-1-5-19\software\microsoft\internet explorer\main\ || search page (ID = 144962)
    19:03: HKU\S-1-5-19\software\microsoft\internet explorer\search\ || searchassistant (ID = 144967)
    19:03: HKU\S-1-5-19\software\microsoft\internet explorer\searchurl\ || searchurl (ID = 144969)
    19:03: HKU\S-1-5-19\software\microsoft\internet explorer\ || searchurl (ID = 144971)
    19:03: HKU\S-1-5-18\software\microsoft\internet explorer\main\ || search bar (ID = 144961)
    19:03: HKU\S-1-5-18\software\microsoft\internet explorer\search\ || searchassistant (ID = 144967)
    19:03: HKU\S-1-5-18\software\microsoft\internet explorer\searchurl\ || searchurl (ID = 144969)
    19:03: HKU\S-1-5-18\software\microsoft\internet explorer\ || searchurl (ID = 144971)
    19:03: Registry Sweep Complete, Elapsed Time:00:00:39
    19:03: Starting Cookie Sweep
    19:03: Found Spy Cookie: yieldmanager cookie
    19:03: [email protected][1].txt (ID = 3751)
    19:03: Found Spy Cookie: atlas dmt cookie
    19:03: [email protected][2].txt (ID = 2253)
    19:03: Found Spy Cookie: belnk cookie
    19:03: [email protected][1].txt (ID = 2292)
    19:03: [email protected][2].txt (ID = 2293)
    19:03: Found Spy Cookie: questionmarket cookie
    19:03: [email protected][1].txt (ID = 3217)
    19:03: Found Spy Cookie: webtrendslive cookie
    19:03: [email protected][1].txt (ID = 3667)
    19:03: Found Spy Cookie: tribalfusion cookie
    19:03: [email protected][1].txt (ID = 3589)
    19:03: Cookie Sweep Complete, Elapsed Time: 00:00:00
    19:03: Starting File Sweep
    19:04: Found Adware: surfsidekick
    19:04: c:\program files\common files\vcclient (6 subtraces) (ID = -2147461290)
    19:13: Found Adware: shopathomeselect
    19:13: tm97pj39.dat (ID = 75645)
    19:14: a0121790.exe (ID = 231213)
    19:20: Found Adware: zestyfind desktop links
    19:20: a0120577.exe (ID = 91155)
    19:25: gah95on6.ini (ID = 75741)
    19:25: kdlmjh8r.dat (ID = 75677)
    19:30: Found Adware: directrevenue-abetterinternet
    19:30: biini.inf (ID = 83199)
    19:30: satmat.ini (ID = 83499)
    19:30: Found Adware: atlas offeragent
    19:30: switpc.dat (ID = 50269)
    19:30: satmat.inf (ID = 83498)
    19:30: 50ec2ae4-3094-49c5-a196-89eb38 (ID = 83583)
    19:30: a0121878.inf (ID = 83199)
    19:30: a0121650.inf (ID = 83154)
    19:30: Found Adware: azsearch toolbar
    19:30: 614276d4-09cb-47d0-88ed-0cd770 (ID = 50329)
    19:30: a0121879.ini (ID = 83499)
    19:30: a0121881.inf (ID = 83498)
    19:30: Found Adware: effective-i toolbar
    19:30: ead9d98d-f90d-4c97-bb7e-b329fa (ID = 59855)
    19:30: 4ae99037-f1a3-42fc-bd63-b477ee (ID = 59838)
    19:30: bln02nqv.ini (ID = 75683)
    19:30: a0121788.ini (ID = 75621)
    19:30: 38f904d2-77c1-4b3b-9d37-df028d (ID = 50329)
    19:31: Warning: Invalid Stream
    19:31: Warning: Invalid Stream
    19:31: File Sweep Complete, Elapsed Time: 00:27:33
    19:31: Full Sweep has completed. Elapsed time 00:31:51
    19:31: Traces Found: 20809
    21:04: Removal process initiated
    21:04: Quarantining All Traces: 180search assistant/zango
    21:04: Quarantining All Traces: adlogix
    21:04: Quarantining All Traces: cws_ns3
    21:04: Quarantining All Traces: directrevenue-abetterinternet
    21:04: Quarantining All Traces: azsearch toolbar
    21:04: Quarantining All Traces: ez-finder toolbar
    21:04: Quarantining All Traces: internetoptimizer
    21:04: Quarantining All Traces: iwantsearch
    21:04: Quarantining All Traces: surfsidekick
    21:04: Quarantining All Traces: tibs dialer
    21:04: Quarantining All Traces: trojan_backdoor_retro64
    21:04: Quarantining All Traces: trojan_downloader_svs
    21:04: Quarantining All Traces: trojan-downloader-conhook
    21:04: Quarantining All Traces: winad
    21:04: Quarantining All Traces: atlas offeragent
    21:04: Quarantining All Traces: cashdeluxe
    21:04: Quarantining All Traces: dapsol dialer
    21:04: Quarantining All Traces: effective-i toolbar
    21:04: Quarantining All Traces: interads
    21:04: Quarantining All Traces: ist sidefind
    21:04: Quarantining All Traces: kudd.com adware
    21:04: Quarantining All Traces: shopathomeselect
    21:04: Quarantining All Traces: trojan-svs_nonstopsearch.com hijacker
    21:04: Quarantining All Traces: tubby toolbar
    21:04: Quarantining All Traces: twain-tech
    21:04: Quarantining All Traces: zestyfind desktop links
    21:04: Quarantining All Traces: atlas dmt cookie
    21:04: Quarantining All Traces: belnk cookie
    21:04: Quarantining All Traces: questionmarket cookie
    21:04: Quarantining All Traces: tribalfusion cookie
    21:04: Quarantining All Traces: webtrendslive cookie
    21:04: Quarantining All Traces: yieldmanager cookie
    21:05: Removal process completed. Elapsed time 00:00:27
    ********
    18:55: | Start of Session, 26 January 2006 |
    18:55: Spy Sweeper started
    18:58: Your spyware definitions have been updated.
    18:59: | End of Session, 26 January 2006 |
     
  11. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    clean og,

    how's the computer running now any better?


    fix this one with hijack this!


    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto


    you should now turn off system restore to flush out the bad restore points and
    then re-enable it and make a new clean restore point.


    How to turn off system restore

    http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam


    http://support.microsoft.com/default.aspx?scid=kb;[LN];310405


    here's some free tools to keep you from getting infected in the future.


    to stop reinfection get these two tools, spywareguard and spywareblaster
    from


    http://www.javacoolsoftware.com/downloads.html


    get the hosts file from here.



    http://www.mvps.org/winhelp2002/hosts.htm


    put it into :


    Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
    Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
    Win 98\ME = C:\WINDOWS



    ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

    when you visit innocent-looking sites that aren't actually innocent at all.

    https://netfiles.uiuc.edu/ehowes/www/resource.htm



    http://www.winpatrol.com/winpatrol.html


    Use spybot's immunize button and use spywareblaster' enable
    protection once you update it. you can put spybot's hosts file into
    your own and lock it.



    I would also suggest switching to Mozilla's firefox browser, it's safer, has
    a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is also a good
    e-mail client.

    http://www.mozilla.org/


    Another good and free browser is Opera!

    http://www.opera.com/


    Read here to see how to tighten your security:

    http://forums.techguy.org/t208517.html


    A good overall guide for firewalls, anti-virus, and anti-trojans as well as
    regular spyware cleaners.

    http://www.firewallguide.com/anti-trojan.htm



    you can mark your own thread solved through thread tools at the top of
    the page.
     
  12. Xtal

    Xtal Thread Starter

    Joined:
    Jan 26, 2006
    Messages:
    21
    Yep everything seems to be working!
    Thanks alot for all your help your a legeand!!
     
  13. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    you're welcome! :)
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/437377

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice