1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Help! Spy Axe is ruining my life!

Discussion in 'Virus & Other Malware Removal' started by Fortify24, Dec 8, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Fortify24

    Fortify24 Thread Starter

    Joined:
    Dec 8, 2005
    Messages:
    9
    Here are the log files I received from running hijack this. I think I have spy axe and possibly have other problems. If someone could please help me solve the problems on my computer, that would be awesome!


    Logfile of HijackThis v1.99.1
    Scan saved at 8:36:28 PM, on 12/8/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\FSI\F-Prot\fpavupdm.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\nvctrl.exe
    C:\WINDOWS\system32\mssearchnet.exe
    C:\Program Files\FSI\F-Prot\F-Sched.exe
    C:\Program Files\FSI\F-Prot\F-StopW.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ddtrhqqk.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\srshost.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\INSTAL~1\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dellnet.msn.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.trustyhound.com/sidebar-search.php
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
    O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\system32\hpD78.tmp
    O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll (file missing)
    O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll (file missing)
    O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
    O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Microsoft Windows System] ddtrhqqk.exe
    O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\RunServices: [Microsoft Windows System] ddtrhqqk.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {83D5556F-4224-4fc7-A578-4D09AAD5DED4} - C:\Documents and Settings\Stephen Case\Local Settings\Temporary Internet Files\Content.IE5\XOKVHT0P\access[1].exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINDOWS\System32\crtv2_32.dll (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540012} (CInstall Class) - http://www.funnytaf.com/fun/installer/Install.cab
    O18 - Protocol hijack: mhtml -
    O20 - AppInit_DLLs: C:\WINDOWS\System32\dellscrrc934q.dll
    O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
    O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
    O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Welcome to TSG :)

    Download the SpyAxeFix here:

    http://noahdfear.geekstogo.com/SpyAxeFix.exe

    Save it to your desktop. Close all other programs and windows. Double click SpyAxeFix.exe, then click Start to extract the tool to it's own folder. Open the SpyAxeFix folder and double click the SpyAxeFix.bat to start the tool. At one point when the tool runs, your taskbar will disappear, and your computer will restart when the tool completes. A text file will be created in the SpyAxeFix folder. Post it's contents and a new Hijack This log in your thread here.
     
  3. Fortify24

    Fortify24 Thread Starter

    Joined:
    Dec 8, 2005
    Messages:
    9
    Thanks for helping Cheeseball! I ran the program you told me to run, but my something is still changing my start page when I open Internet Explorer and I keep getting a warning saying that C:\WINDOWS\System32\dellscrrc934q.dll is a security risk. Here is another post from hijack this and the text file I got after running the program you told to run.

    Logfile of HijackThis v1.99.1
    Scan saved at 5:39:25 PM, on 12/10/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\system32\nvctrl.exe
    C:\WINDOWS\system32\mssearchnet.exe
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\Program Files\FSI\F-Prot\F-Sched.exe
    C:\Program Files\FSI\F-Prot\F-StopW.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ddtrhqqk.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\srshost.exe
    C:\Program Files\FSI\F-Prot\fpavupdm.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\INSTAL~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.trustyhound.com/sidebar-search.php
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
    O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\system32\hpBCB8.tmp
    O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll (file missing)
    O3 - Toolbar: (no name) - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - (no file)
    O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
    O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Microsoft Windows System] ddtrhqqk.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\RunServices: [Microsoft Windows System] ddtrhqqk.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {83D5556F-4224-4fc7-A578-4D09AAD5DED4} - C:\Documents and Settings\Stephen Case\Local Settings\Temporary Internet Files\Content.IE5\XOKVHT0P\access[1].exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINDOWS\System32\crtv2_32.dll (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540012} (CInstall Class) - http://www.funnytaf.com/fun/installer/Install.cab
    O18 - Protocol hijack: mhtml -
    O20 - AppInit_DLLs: C:\WINDOWS\System32\dellscrrc934q.dll
    O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
    O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
    O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



    SpyAxeFix © by noahdfear


    Microsoft Windows XP [Version 5.1.2600]
    The current date is: Sat 12/10/2005
    The current time is: 17:32:07.82




    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Killing PID 552 'explorer.exe'
    Killing PID 552 'explorer.exe'
    Killing PID 552 'explorer.exe'


    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Error, Cannot find a process with an image name of rundll32.exe

    1024 directory present

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
     
  4. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    * Click here to download smitRem.exe.
    • Save the file to your desktop.
    • It is a self extracting file.
    • Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
    • Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.


    * Download the trial version of Ewido Security Suite here.
    • Install ewido.
    • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    • Launch ewido
    • It will prompt you to update click the OK button and it will go to the main screen
    • On the left side of the main screen click update
    • Click on Start and let it update.
    • DO NOT run a scan yet. You will do that later in safe mode.


    * Click here for info on how to boot to safe mode if you don't already know how.


    * Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in safe mode:


    * Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.


    * Run Ewido:
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • During the scan it will prompt you to clean files, click OK
    • When the scan is finished, look at the bottom of the screen and click the Save report button.
    • Save the report to your desktop


    * Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    * Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.


    * Restart back into Windows normally now.


    * Run ActiveScan online virus scan here

    When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
    - Save the results from the scan!

    Post a new HiJack This log along with the results from ActiveScan and the Ewido scan.
     
  5. Fortify24

    Fortify24 Thread Starter

    Joined:
    Dec 8, 2005
    Messages:
    9
    Thanks again for helping me! I did everything you told me to do and am going to post everything you wanted. When I ran the ActiveScan, it didn't give me the option to delete the files because I think it was a free trial that merely told me what was wrong with my computer. I was able to delete the things it had listed except for three items: C:\keys.ini C:\WINDOWS\pcconfig.dat
    C:\Program Files\InstallShield Installation Information/{9FD12630-1991...
    Anyway, here are the reports you wanted:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:09:40 PM, on 12/11/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\FSI\F-Prot\fpavupdm.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\FSI\F-Prot\F-Sched.exe
    C:\Program Files\FSI\F-Prot\F-StopW.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\DOCUME~1\INSTAL~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
    O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll (file missing)
    O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
    O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {83D5556F-4224-4fc7-A578-4D09AAD5DED4} - C:\Documents and Settings\Stephen Case\Local Settings\Temporary Internet Files\Content.IE5\XOKVHT0P\access[1].exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINDOWS\System32\crtv2_32.dll (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540012} (CInstall Class) - http://www.funnytaf.com/fun/installer/Install.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol hijack: mhtml -
    O20 - AppInit_DLLs: C:\WINDOWS\System32\dellscrrc934q.dll
    O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
    O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



    ---------------------------------------------------------
    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on: 8:37:53 PM, 12/11/2005
    + Report-Checksum: 6DA6AEE5

    + Scan result:

    HKLM\SOFTWARE\180solutions -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\AutoLoader -> Spyware.AproposMedia : Cleaned with backup
    HKLM\SOFTWARE\AutoLoader\o03d1McUIIPd -> Spyware.AproposMedia : Cleaned with backup
    HKLM\SOFTWARE\AutoLoader\o03r1McUIIPd -> Spyware.AproposMedia : Cleaned with backup
    HKLM\SOFTWARE\Classes\AppID\AtlBrowser.EXE -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\AppID\{0818D423-6247-11D1-ABEE-00D049C10000} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{0B519E07-7824-4adc-8890-93D5EABBF285} -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{50B4D2B3-723F-41B3-AEC4-0BD66F0F45FF} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{A166C1B0-5CDB-447A-894A-4B9FD7149D51} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{E004800A-73C6-4587-B855-98D0CE0C16B1} -> Spyware.BrowserAid : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{18E6C36A-C45F-4B60-A1A4-5C0BB16D4CC2} -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{241667A3-EC83-4885-84DD-C2DAAFC1C5EA} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{25630B50-53C6-4E66-A945-9D7B6B2171FF} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{370F6327-41C4-4FA6-A2DF-1BA57EE0FBB9} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{370F6353-41C4-4FA6-A2DF-1BA57EE0FBB9} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{3A951AF0-53F8-4803-A565-0E1DEE4B11F5} -> Spyware.SEP : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{788C6F6E-C2EA-4A63-9C38-CE7D8F43BCE4} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{78BCF936-45B0-40A7-9391-DCC03420DB35} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{955CBF48-4313-4B1F-872B-254B7822CCF2} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{9CFA26C2-81DA-4C9D-A501-F144A4A000FA} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{AF286CEA-635D-40C5-A891-B40A0F520539} -> Spyware.SEP : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10} -> Spyware.AproposMedia : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{E318D698-27B3-44D5-8998-C35EAFB9C034} -> Spyware.MidAddle : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{EFA52460-8822-4191-BA38-FACDD2007910} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\redalert.here -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\redalert.here\CLSID -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\redalert.here.1 -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\Sep.Band -> Spyware.SEP : Cleaned with backup
    HKLM\SOFTWARE\Classes\Sep.Band\CLSID -> Spyware.SEP : Cleaned with backup
    HKLM\SOFTWARE\Classes\Sep.Band\CurVer -> Spyware.SEP : Cleaned with backup
    HKLM\SOFTWARE\Classes\Sep.Band.1 -> Spyware.SEP : Cleaned with backup
    HKLM\SOFTWARE\Classes\Sep.Search -> Spyware.SEP : Cleaned with backup
    HKLM\SOFTWARE\Classes\Sep.Search\CLSID -> Spyware.SEP : Cleaned with backup
    HKLM\SOFTWARE\Classes\Sep.Search\CurVer -> Spyware.SEP : Cleaned with backup
    HKLM\SOFTWARE\Classes\Sep.Search.1 -> Spyware.SEP : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{00A322E2-7D50-4DBA-BEA4-5C8078D47269} -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{12EE7A5E-0674-42F9-A76C-000000004D00} -> Spyware.BrowserAid : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{370F6327-41C4-4FA6-A2DF-1BA57EE0FBB9} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{4E627A1E-BC4B-4FAF-8DE8-1D9A54D37DA3} -> Spyware.SEP : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{9CFA26C0-81DA-4C9D-A501-F144A4A000FA} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{9CFA26C1-81DA-4C9D-A501-F144A4A000FA} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{BAF13496-8F72-47A1-9CEE-09238EFC75F0} -> Spyware.eZula : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{ECB25A48-E6E0-49AF-99AF-07C763E31389} -> Spyware.MidAddle : Cleaned with backup
    HKLM\SOFTWARE\Classes\WinAffiliateBHO.WinAffiliateIEExtensi.1 -> Spyware.MidAddle : Cleaned with backup
    HKLM\SOFTWARE\Classes\WinAffiliateBHO.WinAffiliateIEExtension -> Spyware.MidAddle : Cleaned with backup
    HKLM\SOFTWARE\Classes\WinAffiliateBHO.WinAffiliateIEExtension\CLSID -> Spyware.MidAddle : Cleaned with backup
    HKLM\SOFTWARE\Classes\WinAffiliateBHO.WinAffiliateIEExtension\CurVer -> Spyware.MidAddle : Cleaned with backup
    HKLM\SOFTWARE\Desktop\LicenseStores -> Spyware.MidAddle : Cleaned with backup
    HKLM\SOFTWARE\Dsi -> Spyware.Delfin : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{120E090D-9136-4b78-8258-F0B44B4BD2AC} -> Spyware.Maxspeed : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO -> Spyware.WebSearch : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SEP -> Spyware.SEP : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools -> Spyware.WebSearch : Error during cleaning
    HKLM\SOFTWARE\WildMedia -> Spyware.MidAddle : Cleaned with backup
    HKLM\SOFTWARE\WildMedia\LicenseStores -> Spyware.MidAddle : Cleaned with backup
    C:\Documents and Settings\Install programs\Cookies\install [email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Install programs\Cookies\install [email protected][1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
    C:\Documents and Settings\Install programs\Cookies\install [email protected][1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    C:\WINDOWS\crt32_v2.dll -> Downloader.Small.hr : Cleaned with backup
    C:\WINDOWS\something.dll -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\WINDOWS\SYSTEM32\ATKCTRS9.exe -> Spyware.IEDriver : Cleaned with backup
    C:\WINDOWS\SYSTEM32\c3ch1jyx.exe -> Downloader.3746.A : Cleaned with backup
    C:\WINDOWS\SYSTEM32\ddtrhqqk.exe -> Backdoor.Rbot : Cleaned with backup
    C:\WINDOWS\SYSTEM32\dellscrrc934q.dll -> Trojan.Zapchast : Cleaned with backup
    C:\WINDOWS\SYSTEM32\iehost34.exe -> Spyware.AdSrve : Cleaned with backup
    C:\WINDOWS\SYSTEM32\srshost.exe -> Proxy.Agent.hy : Cleaned with backup
    C:\WINDOWS\SYSTEM32\terabyte.exe -> Spyware.AdSrve : Cleaned with backup
    C:\WINDOWS\SYSTEM32\unwise56.exe -> Spyware.AdSrve : Cleaned with backup
    C:\WINDOWS\SYSTEM32\winl0gon.exe -> Dropper.Small.na : Cleaned with backup
    C:\WINDOWS\SYSTEM32\ѕνchost.exe -> Spyware.PurityScan : Cleaned with backup
    C:\WINDOWS\SYSTEM32\сhkdsk.exe -> Spyware.PurityScan : Cleaned with backup


    Incident Status Location

    Adware:Adware/Lop Not disinfected C:\!Submit\rhyjqcfe.exe
    Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\Burn Defy Creative The\Heck Book.exe
    Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\Burn Defy Creative The\Platform start.exe
    Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\Burn Defy Creative The\plus once.exe
    Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\Burn Defy Creative The\Ref Lies.exe
    Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\Burn Defy Creative The\thirddraw.exe
    Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\Burn Defy Creative The\TransMpeg.exe
    Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\Burn Defy Creative The\Waywma.exe
    Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\Burn Defy Creative The\wipebin.exe
    Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\Rule debug extra mix\gpl math.exe
    Adware:adware/delfinmedia Not disinfected C:\keys.ini
    Virus:Eicar.Mod Not disinfected C:\Program Files\FSI\F-Prot\fpav-help.chm[prob-scan-ok.html]
    Virus:Eicar.Mod Not disinfected C:\Program Files\InstallShield Installation Information\{9FD12630-1991-46F5-8479-92DE1EAE87DA}\data1.cab[prob-scan-ok.html]
    Adware:adware/topspyware Not disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp
    Spyware:Spyware/Heterofind Not disinfected C:\spe\start.chm
    Adware:Adware/WinTools Not disinfected C:\WINDOWS\Key2.txt
    Adware:adware/ncase Not disinfected C:\WINDOWS\msbbau.dat
    Dialer:dialer.bny Not disinfected C:\WINDOWS\pcconfig.dat
    Adware:adware/sidesearch Not disinfected C:\WINDOWS\sepsd.bin
    Adware:Adware/InstDollars Not disinfected C:\WINDOWS\SYSTEM32\first.awp
    Spyware:Spyware/Heterofind Not disinfected C:\WINDOWS\SYSTEM32\HPCMDTY.DLL
    Adware:Adware/InstDollars Not disinfected C:\WINDOWS\SYSTEM32\OLE2DISP511a.exe
    Adware:Adware/InstDollars Not disinfected C:\WINDOWS\SYSTEM32\second.awp
    Adware:adware/powersearch Not disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
    Virus:Bck/Zins.C Not disinfected C:\WINDOWS\SYSTEM32\winni.exe
    Adware:Adware/SearchBar Not disinfected C:\WINDOWS\SYSTEM32\WWWTBar.dll
     
  6. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Download KillBox here: http://www.downloads.subratam.org/KillBox.zip
    Save it to your desktop.
    DO NOT run it yet. We will use it later.

    Hijack This is running from the Temp folder.
    It needs to be in a permanent folder on the hard drive.
    It will not function properly from there and it cannot create and restore backups from there.

    Redownload it here: http://thespykiller.co.uk/files/hijackthis_sfx.exe

    Let it extract to C:\Program Files
    Rerun it from there and post a new log please.
     
  7. Fortify24

    Fortify24 Thread Starter

    Joined:
    Dec 8, 2005
    Messages:
    9
    I downloaded both of the programs...i wasn't supposed to run Killbox, right? Here is the new hijackthis log


    Logfile of HijackThis v1.99.1
    Scan saved at 2:55:07 PM, on 12/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\FSI\F-Prot\fpavupdm.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\FSI\F-Prot\F-Sched.exe
    C:\Program Files\FSI\F-Prot\F-StopW.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
    O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll (file missing)
    O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
    O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {83D5556F-4224-4fc7-A578-4D09AAD5DED4} - C:\Documents and Settings\Stephen Case\Local Settings\Temporary Internet Files\Content.IE5\XOKVHT0P\access[1].exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINDOWS\System32\crtv2_32.dll (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540012} (CInstall Class) - http://www.funnytaf.com/fun/installer/Install.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol hijack: mhtml -
    O20 - AppInit_DLLs: C:\WINDOWS\System32\dellscrrc934q.dll
    O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
    O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  8. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Rescan with Hijack This.
    Close all browser windows except Hijack This.
    Put a check mark beside these entries and click "Fix Checked".

    O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)

    O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINDOWS\System32\crtv2_32.dll (file missing)

    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540012} (CInstall Class) - http://www.funnytaf.com/fun/installer/Install.cab

    O18 - Protocol hijack: mhtml -

    O20 - AppInit_DLLs: C:\WINDOWS\System32\dellscrrc934q.dll


    Boot into Safe Mode.

    Double-click on Killbox.exe to run it.
    Now put a tick by Standard File Kill.
    In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
    It will ask for confimation to delete the file.
    Click Yes.
    Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\System32\dellscrrc934q.dll
    C:\Documents and Settings\All Users\Application Data\Burn Defy Creative The\Heck Book.exe
    C:\Documents and Settings\All Users\Application Data\Burn Defy Creative The\Platform start.exe
    C:\Documents and Settings\All Users\Application Data\Burn Defy Creative The\plus once.exe
    C:\Documents and Settings\All Users\Application Data\Burn Defy Creative The\Ref Lies.exe
    C:\Documents and Settings\All Users\Application Data\Burn Defy Creative The\thirddraw.exe
    C:\Documents and Settings\All Users\Application Data\Burn Defy Creative The\TransMpeg.exe
    C:\Documents and Settings\All Users\Application Data\Burn Defy Creative The\Waywma.exe
    C:\Documents and Settings\All Users\Application Data\Burn Defy Creative The\wipebin.exe
    C:\Documents and Settings\All Users\Application Data\Rule debug extra mix\gpl math.exe
    C:\keys.ini
    C:\Program Files\Windows Media Player\wmplayer.exe.tmp
    C:\spe\start.chm
    C:\WINDOWS\Key2.txt
    C:\WINDOWS\msbbau.dat
    C:\WINDOWS\pcconfig.dat
    C:\WINDOWS\sepsd.bin
    C:\WINDOWS\SYSTEM32\first.awp
    C:\WINDOWS\SYSTEM32\HPCMDTY.DLL
    C:\WINDOWS\SYSTEM32\OLE2DISP511a.exe
    C:\WINDOWS\SYSTEM32\second.awp
    C:\WINDOWS\SYSTEM32\stlb2.xml
    C:\WINDOWS\SYSTEM32\winni.exe
    C:\WINDOWS\SYSTEM32\WWWTBar.dll


    Note: It is possible that Killbox will tell you that one or more files do not exist.
    If that happens, just continue on with all the files. Be sure you don't miss any.

    Exit the KillBox.

    Find and delete these folders:

    C:\Documents and Settings\All Users\Application Data\Burn Defy Creative The

    C:\Documents and Settings\All Users\Application Data\Rule debug extra mix


    Also in Safe Mode navigate to the C:\Windows\Temp folder.
    Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Go to Start > Run and type %temp% in the Run box.
    The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    It's normal if some files don't delete!

    Finally go to Control Panel > Internet Options.
    On the General tab under "Temporary Internet Files" Click "Delete Files".
    Put a check by "Delete Offline Content" and click OK.
    Click on the Programs tab then click the "Reset Web Settings" button.
    Click Apply then OK.

    Empty the Recycle Bin.

    Reboot, post a new log.
     
  9. Fortify24

    Fortify24 Thread Starter

    Joined:
    Dec 8, 2005
    Messages:
    9
    I did everything you wanted...when I ran killbox, it only deleted two programs (C:\keys.ini and C:\WINDOWS\pcconfig.dat) and said that the rest of files did not exist. Also, I was not able to find the folders:
    C:\Documents and Settings\All Users\Application Data\Burn Defy Creative The

    C:\Documents and Settings\All Users\Application Data\Rule debug extra mix

    Here is my new hijackthis log...thanks so much for your help!


    Logfile of HijackThis v1.99.1
    Scan saved at 10:11:18 PM, on 12/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\FSI\F-Prot\F-Sched.exe
    C:\Program Files\FSI\F-Prot\F-StopW.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\FSI\F-Prot\fpavupdm.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll (file missing)
    O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
    O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {83D5556F-4224-4fc7-A578-4D09AAD5DED4} - C:\Documents and Settings\Stephen Case\Local Settings\Temporary Internet Files\Content.IE5\XOKVHT0P\access[1].exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
    O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  10. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    How are things running now?
     
  11. Fortify24

    Fortify24 Thread Starter

    Joined:
    Dec 8, 2005
    Messages:
    9
    Acutally, everything seems to be running perfectly. No more pop-ups or anything! Thank you so much for your help, your advice has been great!
     
  12. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    You're very welcome :)

    Now turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Restart your computer, turn System Restore back on and create a restore point.

    To create a restore point:

    Single-click Start and point to All Programs.
    Mouse over Accessories, then System Tools, and select System Restore.
    In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
    Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

    You can mark your thread "Solved" from the Thread Tools drop down menu.
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Since this problem has been solved, I'm closing this thread. If you need it reopened please PM me or one of the other mods.

    Anyone else with a similar problem please start a "New Thread".
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/423674

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice